- More CGI escape merge.

lib/python/OFS/Application.py

@@ -12,8 +12,8 @@
 ##############################################################################
 __doc__='''Application support
 
-$Id: Application.py,v 1.200 2004/01/11 15:32:44 chrism Exp $'''
-__version__='$Revision: 1.200 $'[11:-2]
+$Id: Application.py,v 1.201 2004/01/15 22:47:23 tseaver Exp $'''
+__version__='$Revision: 1.201 $'[11:-2]
 
 import Globals,Folder,os,sys,App.Product, App.ProductRegistry, misc_
 import time, traceback, os,  Products
@@ -22,6 +22,7 @@ from AccessControl.User import UserFolder
 from App.ApplicationManager import ApplicationManager
 from webdav.NullResource import NullResource
 from FindSupport import FindSupport
+from cgi import escape
 from urllib import quote
 from StringIO import StringIO
 from AccessControl.PermissionRole import PermissionRole
@@ -122,8 +123,8 @@ class Application(Globals.ApplicationDefaultPermissions,
         """Returns an HTML fragment that displays the 'powered by zope'
         button along with a link to the Zope site."""
         return '<a href="http://www.zope.org/Credits" target="_top"><img ' \
-               'src="%s/p_/ZopeButton" width="115" height="50" ' \
-               'border="0" alt="Powered by Zope" /></a>' % self.REQUEST.BASE1
+               'src="%s/p_/ZopeButton" width="115" height="50" border="0" ' \
+               'alt="Powered by Zope" /></a>' % escape(self.REQUEST.BASE1, 1)
 
 
     def DELETE(self, REQUEST, RESPONSE):

lib/python/OFS/CopySupport.py

@@ -11,7 +11,7 @@
 #
 ##############################################################################
 __doc__="""Copy interface"""
-__version__='$Revision: 1.89 $'[11:-2]
+__version__='$Revision: 1.90 $'[11:-2]
 
 import sys,  Globals, Moniker, tempfile, ExtensionClass
 from marshal import loads, dumps
@@ -23,6 +23,7 @@ from AccessControl import getSecurityManager
 from Acquisition import aq_base, aq_inner, aq_parent
 from zExceptions import Unauthorized, BadRequest
 from webdav.Lockable import ResourceLockedError
+from cgi import escape
 
 CopyError='Copy Error'
 
@@ -73,7 +74,7 @@ class CopyContainer(ExtensionClass.Base):
                 raise ResourceLockedError, 'Object "%s" is locked via WebDAV' % ob.getId()
 
             if not ob.cb_isMoveable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(1, oblist)
@@ -98,7 +99,7 @@ class CopyContainer(ExtensionClass.Base):
         for id in ids:
             ob=self._getOb(id)
             if not ob.cb_isCopyable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(0, oblist)
@@ -157,7 +158,7 @@ class CopyContainer(ExtensionClass.Base):
             # Copy operation
             for ob in oblist:
                 if not ob.cb_isCopyable():
-                    raise CopyError, eNotSupported % ob.getId()
+                    raise CopyError, eNotSupported % escape(ob.getId())
                 try:    ob._notifyOfCopyTo(self, op=0)
                 except: raise CopyError, MessageDialog(
                     title='Copy Error',
@@ -182,7 +183,7 @@ class CopyContainer(ExtensionClass.Base):
             for ob in oblist:
                 id=ob.getId()
                 if not ob.cb_isMoveable():
-                    raise CopyError, eNotSupported % id
+                    raise CopyError, eNotSupported % escape(id)
                 try:    ob._notifyOfCopyTo(self, op=1)
                 except: raise CopyError, MessageDialog(
                     title='Move Error',
@@ -242,7 +243,7 @@ class CopyContainer(ExtensionClass.Base):
         if ob.wl_isLocked():
             raise ResourceLockedError, 'Object "%s" is locked via WebDAV' % ob.getId()
         if not ob.cb_isMoveable():
-            raise CopyError, eNotSupported % id
+            raise CopyError, eNotSupported % escape(id)
         self._verifyObjectPaste(ob)
         try:    ob._notifyOfCopyTo(self, op=1)
         except: raise CopyError, MessageDialog(
@@ -269,7 +270,7 @@ class CopyContainer(ExtensionClass.Base):
     def manage_clone(self, ob, id, REQUEST=None):
         # Clone an object, creating a new object with the given id.
         if not ob.cb_isCopyable():
-            raise CopyError, eNotSupported % ob.getId()
+            raise CopyError, eNotSupported % escape(ob.getId())
         try: self._checkId(id)
         except: raise CopyError, MessageDialog(
                       title='Invalid Id',
@@ -510,11 +511,11 @@ def cookie_path(request):
 fMessageDialog=Globals.HTML("""
 <HTML>
 <HEAD>
-<TITLE><dtml-var title></TITLE>
+<TITLE>&dtml-title;</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF">
-<FORM ACTION="<dtml-var action>" METHOD="GET" <dtml-if
- target>TARGET="<dtml-var target>"</dtml-if>>
+<FORM ACTION="&dtml-action;" METHOD="GET" <dtml-if
+ target>TARGET="&dtml-target;"</dtml-if>>
 <TABLE BORDER="0" WIDTH="100%%" CELLPADDING="10">
 <TR>
   <TD VALIGN="TOP">

lib/python/OFS/dtml/findResult.dtml

@@ -60,13 +60,13 @@ your search terms below.
 <td width="50%">
  <div class="list-item">
  <dtml-in name="results" previous size="batch_size" start="query_start">
- <strong> <a href="&dtml-URL;<dtml-var name="sequence-query">query_start=<dtml-var name="previous-sequence-start-number">">&lt; Previous</a></strong>
+ <strong> <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-previous-sequence-start-number;">&lt; Previous</a></strong>
  <dtml-else>&nbsp;</dtml-in></div>
 </td>
 <td align="right" width="50%">
  <div class="list-item">
  <dtml-in name="results" next size=batch_size start=query_start>
- <strong><a href="&dtml-URL;<dtml-var sequence-query>query_start=<dtml-var next-sequence-start-number>">Next &gt;</a></strong>
+ <strong><a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-next-sequence-start-number;">Next &gt;</a></strong>
  <dtml-else>&nbsp;</dtml-in></div>
 </td>
 </tr>