- Merge CGI escapes from 2.6 / 2.7 audit.

b9e11ef3 · Tres Seaver · 24953cfa · b9e11ef3 · b9e11ef3 · b9e11ef3
Commit b9e11ef3 authored Jan 15, 2004 by Tres Seaver
10 changed files
--- a/lib/python/Products/OFSP/Version.py
+++ b/lib/python/Products/OFSP/Version.py
@@ -12,7 +12,7 @@
 ##############################################################################
 """Version object"""

-__version__='$Revision: 1.53 $'[11:-2]
+__version__='$Revision: 1.54 $'[11:-2]

 import Globals, time
 from AccessControl.Role import RoleManager
@@ -23,6 +23,7 @@ from OFS.SimpleItem import Item
 from Globals import HTML
 from App.Dialogs import MessageDialog
 from OFS.ObjectManager import BeforeDeleteException
+from cgi import escape

 class VersionException(BeforeDeleteException): pass

@@ -108,7 +109,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
                action=REQUEST['URL1']+'/manage_main',
                message=('If cookies are enabled by your browser, then '
                         'you should have joined version %s.'
-                         % self.id)
+                         % escape(self.id))
                )
        return RESPONSE.redirect(REQUEST['URL1']+'/manage_main')


--- a/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml
+++ b/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml
@@ -40,14 +40,14 @@

 <dtml-in words previous size=20 start=query_start >
  <span class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
    [Previous <dtml-var previous-sequence-size> entries]
  </a>
  </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
  <span class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
    [Next <dtml-var next-sequence-size> entries]
  </a>
  </span>
@@ -83,7 +83,7 @@

 <dtml-in words previous size=20 start=query_start >
  <div class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
    [Previous <dtml-var previous-sequence-size> entries]
  </a>
  </div>
@@ -91,7 +91,7 @@

 <dtml-in words next size=20 start=query_start >
  <div class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
    [Next <dtml-var next-sequence-size> entries]
  </a>
  </div>

--- a/lib/python/Products/SiteAccess/AccessRule.py
+++ b/lib/python/Products/SiteAccess/AccessRule.py
@@ -8,6 +8,7 @@ from ZPublisher.BeforeTraverse import \
 registerBeforeTraverse, unregisterBeforeTraverse, queryBeforeTraverse, \
 NameCaller
 import os
+from cgi import escape

 SUPPRESS_ACCESSRULE = os.environ.has_key('SUPPRESS_ACCESSRULE')

@@ -60,12 +61,13 @@ def manage_addAccessRule(self, method_id=None, REQUEST=None, **ignored):
        if REQUEST:
            return MessageDialog(title='Access Rule Set',
              message='"%s" is now the Access Rule for this object'
-                      % method_id,
+                      % escape(method_id),
              action='%s/manage_main' % REQUEST['URL1'])
    else:
        if REQUEST:
            return MessageDialog(title='Invalid Method Id',
-              message='"%s" is not the Id of a method of this object' % method_id,
+              message='"%s" is not the Id of a method of this object'
+                      % escape(method_id),
              action='%s/manage_main' % REQUEST['URL1'])

 def getAccessRule(self, REQUEST=None):

--- a/lib/python/Products/SiteAccess/SiteRoot.py
+++ b/lib/python/Products/SiteAccess/SiteRoot.py
@@ -9,6 +9,7 @@ from Acquisition import Implicit, ImplicitAcquisitionWrapper
 from ExtensionClass import Base
 from ZPublisher import BeforeTraverse
 import os
+from cgi import escape

 from AccessRule import _swallow

@@ -38,7 +39,7 @@ class Traverser(Persistent, Item):
        self.addToContainer(container)
        if nextURL:
            return MessageDialog(title='Item Added',
-              message='This object now has a %s' % self.meta_type,
+              message='This object now has a %s' % escape(self.meta_type),
              action=nextURL)

    def manage_beforeDelete(self, item, container):
@@ -60,7 +61,7 @@ class Traverser(Persistent, Item):
        if id != self.id:
            raise MessageDialog(
                title='Invalid Id',
-                message='Cannot change the id of a %s' % self.meta_type,
+                message='Cannot change the id of a %s' % escape(self.meta_type),
                action ='./manage_main',)

 class SiteRoot(Traverser, Implicit):
@@ -99,7 +100,7 @@ class SiteRoot(Traverser, Implicit):
            return MessageDialog(title='SiteRoot changed.',
              message='The title is now "%s"<br>'
                      'The base is now "%s"<br>'
-                      'The path is now "%s"<br>' % (title, base, path),
+                      'The path is now "%s"<br>' % map(escape, (title, base, path)),
              action='%s/manage_main' % REQUEST['URL1'])

    def __call__(self, client, request, response=None):

--- a/lib/python/Products/SiteAccess/doc/vhosting.html
+++ b/lib/python/Products/SiteAccess/doc/vhosting.html
@@ -52,7 +52,7 @@ The second, and more difficult, half of virtual hosting is getting your Zope
 if you are rewriting hotsite as described above, then a standard DTML snippet
 such as
 <pre>
-&lt;a href=&quot;&lt;dtml-var URL&gt;/hottopics&quot;&gt;
+&lt;a href=&quot;&amp;dtml-URL;/hottopics&quot;&gt;
 </pre>
 in object '/hotsite/forum' will generate
 <pre>

--- a/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py
+++ b/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py
@@ -24,6 +24,7 @@ import time
 import Globals
 from Globals import DTMLFile
 import urlparse, httplib
+from cgi import escape
 from urllib import quote
 from App.Common import rfc1123_date

@@ -213,7 +214,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
        if sort_by == id:
            newsr = not sort_reverse
        url = url + '&sort_reverse=' + (newsr and '1' or '0')
-        return '<a href="%s">%s</a>' % (url, name)
+        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))


 Globals.default__class_init__(AcceleratedHTTPCacheManager)

--- a/lib/python/Products/StandardCacheManagers/RAMCacheManager.py
+++ b/lib/python/Products/StandardCacheManagers/RAMCacheManager.py
@@ -21,6 +21,7 @@ $Id$
 from OFS.Cache import Cache, CacheManager
 from OFS.SimpleItem import SimpleItem
 from thread import allocate_lock
+from cgi import escape
 import time
 import Globals
 from Globals import DTMLFile
@@ -433,7 +434,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
        if sort_by == id:
            newsr = not sort_reverse
        url = url + '&sort_reverse=' + (newsr and '1' or '0')
-        return '<a href="%s">%s</a>' % (url, name)
+        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))

 Globals.default__class_init__(RAMCacheManager)


--- a/lib/python/Products/ZCatalog/dtml/catalogView.dtml
+++ b/lib/python/Products/ZCatalog/dtml/catalogView.dtml
@@ -35,12 +35,12 @@ function toggleSelect() {
 </p>
  <div class="form-text">
  <dtml-in searchResults previous size=20 start=query_start >
-    <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
      [Previous <dtml-var previous-sequence-size> entries]
    </a>
  </dtml-in>
  <dtml-in searchResults next size=20 start=query_start >
-    <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
      [Next <dtml-var next-sequence-size> entries]
    </a>
  </dtml-in>

--- a/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml
+++ b/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml
@@ -10,14 +10,14 @@

 <dtml-in words previous size=20 start=query_start >
  <span class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
    [Previous <dtml-var previous-sequence-size> entries]
  </a>
  </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
  <span class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
    [Next <dtml-var next-sequence-size> entries]
  </a>
  </span>
@@ -47,7 +47,7 @@

 <dtml-in words previous size=20 start=query_start >
  <div class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
    [Previous <dtml-var previous-sequence-size> entries]
  </a>
  </div>
@@ -55,7 +55,7 @@

 <dtml-in words next size=20 start=query_start >
  <div class="list-nav">
-  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
    [Next <dtml-var next-sequence-size> entries]
  </a>
  </div>

--- a/lib/python/Products/ZopeTutorial/TutorialTopic.py
+++ b/lib/python/Products/ZopeTutorial/TutorialTopic.py
@@ -13,6 +13,7 @@
 import OFS.Folder
 from HelpSys.HelpTopic import TextTopic
 from Globals import HTML, DTMLFile, MessageDialog
+from cgi import escape
 import DateTime
 import DocumentTemplate
 import StructuredText
@@ -98,7 +99,8 @@ window.open("%s/manage_main", "manage_main");
 <a href="%s/manage_main" target="manage_main"
 onClick="javascript:window.open('%s/manage_main', 'manage_main').focus()"
 >Show lesson examples</a> in another window.
-</p>""" % (url, url, url)
+</p>""" % (url.replace('"', '\\"'), escape(url, 1),
+           escape(url, 1).replace("'", "\\'"))


    tutorialNavigation=DTMLFile('dtml/tutorialNav', globals())