e131d462 · Tres Seaver · 342fcf0a · e131d462 · e131d462 · e131d462
Commit e131d462 authored Jan 15, 2004 by Tres Seaver
12 changed files
--- a/lib/python/App/ApplicationManager.py
+++ b/lib/python/App/ApplicationManager.py
@@ -12,7 +12,7 @@
 ##############################################################################
 __doc__="""System management components"""

-__version__='$Revision: 1.90 $'[11:-2]
+__version__='$Revision: 1.91 $'[11:-2]

 import sys,os,time,Globals, Acquisition, os, Undo
 from Globals import DTMLFile
@@ -30,6 +30,7 @@ from cStringIO import StringIO
 from AccessControl import getSecurityManager
 from zExceptions import Redirect
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+from cgi import escape
 import zLOG
 import Lifetime

@@ -400,7 +401,7 @@ class ApplicationManager(Folder,CacheManager):
            <head><meta HTTP-EQUIV=REFRESH CONTENT="5; URL=%s/manage_main">
            </head>
            <body>Zope is restarting</body></html>
-            """ % URL1
+            """ % escape(URL1)

    def manage_shutdown(self):
        """Shut down the application"""

--- a/lib/python/App/Dialogs.py
+++ b/lib/python/App/Dialogs.py
@@ -31,7 +31,7 @@
                         target='_top')
    </PRE>"""

-__version__='$Revision: 1.8 $'[11:-2]
+__version__='$Revision: 1.9 $'[11:-2]


 from Globals import HTML
@@ -39,11 +39,11 @@ from Globals import HTML
 MessageDialog = HTML("""
 <HTML>
 <HEAD>
-<TITLE><dtml-var title></TITLE>
+<TITLE>&dtml-title;</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF">
-<FORM ACTION="<dtml-var action>" METHOD="GET" <dtml-if
- target>TARGET="<dtml-var target>"</dtml-if>>
+<FORM ACTION="&dtml-action;" METHOD="GET" <dtml-if
+ target>TARGET="&dtml-target;"</dtml-if>>
 <TABLE BORDER="0" WIDTH="100%" CELLPADDING="10">
 <TR>
  <TD VALIGN="TOP">

--- a/lib/python/App/Management.py
+++ b/lib/python/App/Management.py
@@ -13,7 +13,7 @@

 """Standard management interface support

-$Id: Management.py,v 1.65 2003/11/28 16:44:25 jim Exp $
+$Id: Management.py,v 1.66 2004/01/15 22:44:04 tseaver Exp $
 """

 import sys, Globals, ExtensionClass, urllib
@@ -21,6 +21,7 @@ from Dialogs import MessageDialog
 from Globals import DTMLFile, HTMLFile
 from zExceptions import Redirect
 from AccessControl import getSecurityManager, Unauthorized
+from cgi import escape

 class Tabs(ExtensionClass.Base):
    """Mix-in provides management folder tab support."""
@@ -89,16 +90,16 @@ class Tabs(ExtensionClass.Base):
        script = REQUEST['BASEPATH1']
        linkpat = '<a href="%s/manage_workspace">%s</a>'
        out = []
-        url = linkpat % (script, '&nbsp;/')
+        url = linkpat % (escape(script, 1), '&nbsp;/')
        if not steps:
            return url
        last = steps.pop()
        for step in steps:
            script = '%s/%s' % (script, step)
-            out.append(linkpat % (script, unquote(step)))
+            out.append(linkpat % (escape(script, 1), escape(unquote(step))))
        script = '%s/%s' % (script, last)
        out.append('<a class="strong-link" href="%s/manage_workspace">%s</a>'%
-                   (script, unquote(last)))
+                   (escape(script, 1), escape(unquote(last))))
        return '%s%s' % (url, '/'.join(out))

    def tabs_path_info(self, script, path,

--- a/lib/python/App/PersistentExtra.py
+++ b/lib/python/App/PersistentExtra.py
@@ -11,6 +11,8 @@
 #
 ##############################################################################

+import ZODB
+
 from class_init import default__class_init__
 from Persistence import Persistent
 import Globals

--- a/lib/python/DocumentTemplate/DT_In.py
+++ b/lib/python/DocumentTemplate/DT_In.py
@@ -179,10 +179,8 @@
                    ... display rows

                    <!--#if sequence-end--> <!--#if next-sequence-->
-                      <a href="<!--#var URL-->/<!--#var sequence-query
-                          -->&batch_start=<!--#var
-                          next-sequence-start-number-->">
-                      (Next <!--#var next-sequence-size--> results)
+                      <a href="&dtml-URL;/&dtml-sequence-query;batch_start=&dtml-next-sequence-start-number;">
+                      (Next &dtml-next-sequence-size; results)
                      </a>
                    <!--#/if--> <!--#/if-->

@@ -191,7 +189,7 @@
             If the original URL is: 'foo/bar?x=1&y=2', then the
             rendered text (after row data are displayed) will be::

-                      <a href="foo/bar?x=1&y=2&batch_start=20">
+                      <a href="foo/bar?x=1&amp;y=2&amp;batch_start=20">
                      (Next 20 results)
                      </a>

@@ -199,7 +197,7 @@
             then the rendered text (after row data are displayed)
             will be::

-                      <a href="foo/bar?x=1&y=2&batch_start=30">
+                      <a href="foo/bar?x=1&amp;y=2&amp;batch_start=30">
                      (Next 20 results)
                      </a>

@@ -331,8 +329,8 @@

 ''' #'

-__rcs_id__='$Id: DT_In.py,v 1.61 2003/11/18 13:17:00 tseaver Exp $'
-__version__='$Revision: 1.61 $'[11:-2]
+__rcs_id__='$Id: DT_In.py,v 1.62 2004/01/15 22:44:07 tseaver Exp $'
+__version__='$Revision: 1.62 $'[11:-2]

 import sys
 from DT_Util import ParseError, parse_params, name_param, str, join_unicode

--- a/lib/python/DocumentTemplate/DT_UI.py
+++ b/lib/python/DocumentTemplate/DT_UI.py
@@ -12,8 +12,8 @@
 ##############################################################################
 __doc__='''Machinery to support through-the-web editing

-$Id: DT_UI.py,v 1.14 2003/07/06 10:43:46 andreasjung Exp $'''
-__version__='$Revision: 1.14 $'[11:-2]
+$Id: DT_UI.py,v 1.15 2004/01/15 22:44:07 tseaver Exp $'''
+__version__='$Revision: 1.15 $'[11:-2]

 from DT_HTML import HTML

@@ -33,7 +33,7 @@ HTML._manage_editForm = HTML(
    <BODY bgcolor="#FFFFFF">
    <!--#var document_template_edit_header-->

-    <FORM name="editform" ACTION="<!--#var URL1-->/manage_edit" METHOD="POST">
+    <FORM name="editform" ACTION="&dtml-URL1;/manage_edit" METHOD="POST">
    <!--#var document_template_form_header-->
    Document template source:
    <center>
@@ -51,19 +51,19 @@ HTML._manage_editForm = HTML(
      <INPUT NAME=SUBMIT TYPE="SUBMIT" VALUE="Change">
      <INPUT NAME=SUBMIT TYPE="RESET"  VALUE="Reset">
      <INPUT NAME="dt_edit_name" TYPE="HIDDEN"
-             VALUE="<!--#var URL1-->">
+             VALUE="&dtml-URL1;">
      <!--#if FactoryDefaultString-->
        <INPUT NAME=SUBMIT TYPE="SUBMIT"
-         VALUE="<!--#var FactoryDefaultString-->">
+         VALUE="&dtml-FactoryDefaultString;">
      <!--#/if FactoryDefaultString-->
      <INPUT NAME=SUBMIT TYPE="SUBMIT" VALUE="Cancel">
      <!--#if HTTP_REFERER-->
         <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"
-                VALUE="<!--#var HTTP_REFERER-->">
+                VALUE="&dtml-HTTP_REFERER;">
      <!--#else HTTP_REFERER-->
         <!--#if URL1-->
           <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"
-                  VALUE="<!--#var URL1-->">
+                  VALUE="&dtml-URL1;">
         <!--#/if URL1-->
      <!--#/if HTTP_REFERER-->
    </center>
@@ -78,14 +78,14 @@ HTML._manage_editForm = HTML(
 HTML.editConfirmation=HTML(
    """<html><head><title>Change Successful</title></head><body>
    <!--#if CANCEL_ACTION-->
-      <form action="<!--#var CANCEL_ACTION-->" method="POST">
+      <form action="&dtml-CANCEL_ACTION;" method="POST">
        <center>
-           <em><!--#var dt_edit_name--></em><br>has been changed.<br><br>
+           <em>&dtml-dt_edit_name;</em><br>has been changed.<br><br>
           <input type=submit name="SUBMIT" value="OK">
        </center>
      </form></body></html>
    <!--#else CANCEL_ACTION-->
      <center>
-         <em><!--#var dt_edit_name--></em><br>has been changed.
+         <em>&dtml-dt_edit_name;</em><br>has been changed.
      </center>
    <!--#/if CANCEL_ACTION-->""")
--- a/lib/python/HelpSys/HelpSys.py
+++ b/lib/python/HelpSys/HelpSys.py
@@ -17,6 +17,7 @@ from OFS.ObjectManager import ObjectManager
 from Globals import Persistent, DTMLFile, HTML
 from Products.ZCatalog.ZCatalog import ZCatalog
 from Products.ZCatalog.Lazy import LazyCat
+from cgi import escape
 import Products
 import HelpTopic
 import Globals
@@ -103,14 +104,14 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
            )
        help_url='%s?help_url=%s' % (self.absolute_url(), help_url)

-        script='window.open(\'%s\',\'zope_help\',\'width=600,' \
-                'height=500,menubar=yes,toolbar=yes,scrollbars=yes,' \
-                'resizable=yes\'); return false;' % help_url
+        script="window.open('%s','zope_help','width=600,height=500," \
+               "menubar=yes,toolbar=yes,scrollbars=yes,resizable=yes');" \
+               "return false;" % escape(help_url, 1).replace("'", "\\'")

        h_link='<a href="%s" onClick="%s" onMouseOver="window.status=' \
               '\'Open online help\'; return true;" onMouseOut="' \
               'window.status=\'\'; return true;">Help!</a>' % (
-               help_url, script
+               escape(help_url, 1), script
               )

        return h_link

--- a/lib/python/Shared/DC/ZRDB/Aqueduct.py
+++ b/lib/python/Shared/DC/ZRDB/Aqueduct.py
@@ -12,8 +12,8 @@
 ##############################################################################
 __doc__='''Shared classes and functions

-$Id: Aqueduct.py,v 1.57 2003/11/18 13:17:14 tseaver Exp $'''
-__version__='$Revision: 1.57 $'[11:-2]
+$Id: Aqueduct.py,v 1.58 2004/01/15 22:44:08 tseaver Exp $'''
+__version__='$Revision: 1.58 $'[11:-2]

 import Globals, os
 from Globals import Persistent
@@ -158,7 +158,7 @@ def default_input_form(id,arguments,action='query',
                '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
                '<html lang="en"><head><title>%s Input Data</title></head>\n'
                '<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
-                '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+                '<form action="&dtml-URL2;/&dtml-id;/%s" '
                'method="get">\n'
                '<h2>%s Input Data</h2>\n'
                'Enter query parameters:<br>'
@@ -187,7 +187,7 @@ def default_input_form(id,arguments,action='query',
                '<dtml-if HTTP_REFERER>\n'
                '  <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
                '  <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
-                '         VALUE="<dtml-var HTTP_REFERER>">\n'
+                '         VALUE="&dtml-HTTP_REFERER;">\n'
                '</dtml-if>\n'
                '</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
                )
@@ -197,7 +197,7 @@ def default_input_form(id,arguments,action='query',
            '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
            '<html lang="en"><head><title>%s Input Data</title></head>\n'
            '<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
-            '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+            '<form action="&dtml-URL2;/&dtml-id;/%s" '
            'method="get">\n'
            '<h2>%s Input Data</h2>\n'
            'This query requires no input.<p>\n'
@@ -205,7 +205,7 @@ def default_input_form(id,arguments,action='query',
            '<dtml-if HTTP_REFERER>\n'
            '  <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
            '  <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
-            '         VALUE="<dtml-var HTTP_REFERER>">\n'
+            '         VALUE="&dtml-HTTP_REFERER;">\n'
            '</dtml-if>\n'
            '</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
            % (id, tabs, action, id)

--- a/lib/python/Shared/DC/ZRDB/Connection.py
+++ b/lib/python/Shared/DC/ZRDB/Connection.py
@@ -12,8 +12,8 @@
 ##############################################################################
 __doc__='''Generic Database Connection Support

-$Id: Connection.py,v 1.38 2003/11/18 13:17:14 tseaver Exp $'''
-__version__='$Revision: 1.38 $'[11:-2]
+$Id: Connection.py,v 1.39 2004/01/15 22:44:08 tseaver Exp $'''
+__version__='$Revision: 1.39 $'[11:-2]

 import Globals, OFS.SimpleItem, AccessControl.Role, Acquisition, sys
 from DateTime import DateTime
@@ -25,6 +25,7 @@ from cStringIO import StringIO
 from Results import Results
 from sys import exc_info
 from zLOG import LOG, ERROR
+from cgi import escape
 import DocumentTemplate, RDB
 from zExceptions import BadRequest

@@ -103,7 +104,7 @@ class Connection(
        if REQUEST is not None:
            return MessageDialog(
                title='Edited',
-                message='<strong>%s</strong> has been edited.' % self.id,
+                message='<strong>%s</strong> has been edited.' % escape(self.id),
                action ='./manage_main',
                )


--- a/lib/python/Shared/DC/ZRDB/Search.py
+++ b/lib/python/Shared/DC/ZRDB/Search.py
@@ -12,12 +12,13 @@
 ##############################################################################
 __doc__='''Search Interface Wizard

-$Id: Search.py,v 1.21 2003/11/18 13:17:14 tseaver Exp $'''
-__version__='$Revision: 1.21 $'[11:-2]
+$Id: Search.py,v 1.22 2004/01/15 22:44:08 tseaver Exp $'''
+__version__='$Revision: 1.22 $'[11:-2]

 from Globals import DTMLFile
 from Aqueduct import custom_default_report, custom_default_zpt_report, nicify, Args
 from string import join
+from cgi import escape
 from AccessControl import getSecurityManager

 addForm=DTMLFile('dtml/searchAdd', globals())
@@ -57,7 +58,7 @@ def manage_addZSearch(self, report_id, report_title, report_style,
                cannot be generated.  Before creating a report
                from this query, you must try out the query.  To
                try out the query, <a href="%s">click here</a>.
-                """ % (q.title_and_id(), url))
+                """ % (escape(q.title_and_id()), escape(url, 1)))

    if object_type == 'dtml_methods':


--- a/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml
+++ b/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml
@@ -3,8 +3,7 @@

      <dtml-if previous-sequence>

-        <a href="&dtml-URL;<dtml-var sequence-query
-                 >query_start=<dtml-var previous-sequence-start-number>">
+        <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-previous-sequence-start-number;">
        (Previous <dtml-var previous-sequence-size> results)
        </a>

@@ -24,8 +23,7 @@

      <dtml-if next-sequence>

-         <a href="&dtml-URL;<dtml-var sequence-query
-            >query_start=<dtml-var next-sequence-start-number>">
+         <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-next-sequence-start-number;">
         (Next <dtml-var next-sequence-size> results)
         </a>


--- a/lib/python/ZClasses/Method.py
+++ b/lib/python/ZClasses/Method.py
@@ -25,6 +25,7 @@ from Products.PythonScripts.PythonScript import PythonScript
 from zExceptions import BadRequest

 import marshal
+from cgi import escape

 _marker=[]
 class ZClassMethodsSheet(
@@ -107,11 +108,11 @@ class ZClassMethodsSheet(
    def _checkId(self, id, allow_dup=0,
                 _reserved=('propertysheets','manage_workspace')):
        if id in _reserved:
-            raise BadRequest, 'The id, %s, is reseverd' % id
+            raise BadRequest, 'The id, %s, is reserved' % escape(id)

        if not allow_dup and self.getClassAttr(id, self) is not self:
            raise BadRequest, (
-                'The id %s is invalid - it is already in use.' % id)
+                'The id %s is invalid - it is already in use.' % escape(id))

        ZClassMethodsSheet.inheritedAttribute('_checkId')(
            self, id, 1)