Prevent ZPublisher from insering incorrect <base/> tags into the

headers of plain html files served from Zope3 resource directories.

Also cleanup whitespace in CHANGES.txt.

doc/CHANGES.txt

@@ -70,7 +70,7 @@ Zope Changes
         ISO-8859-15. For other encodings you might set the environment variable
         ZPT_REFERRED_ENCODING to insert your preferred encoding in front of
         utf-8 and ISO-8859-15 within the encoding sniffer code.
-        
+
         In addition there is a new 'output_encodings' property that controls
         the conversion from/to unicode for WebDAV/FTP operations.
 
@@ -80,11 +80,11 @@ Zope Changes
         Products/PageTemplates/(configure.zcml, unicodeconflictresolver.py,
         interfaces.py)
 
-      - AccessControl.Role: added new method 
+      - AccessControl.Role: added new method
         manage_getUserRolesAndPermissions().
- 
-      - AccessControl: the form behind the "Security" tab has a new form 
-        for user-related reporting of permissions and roles 
+
+      - AccessControl: the form behind the "Security" tab has a new form
+        for user-related reporting of permissions and roles
 
     Bugs Fixed
 
@@ -97,7 +97,7 @@ Zope Changes
 
       - Collector #2294: Protected DOS-able ControlPanel methods with the
         same 'requestmethod' wrapper.
-  
+
       - Collector #2294: Protected various security mutators with a new
         'postonly' decorator.  The decorator limits method publishing to
         POST requests only, and is a backport from Zope 2.11's requestmethod
@@ -109,9 +109,9 @@ Zope Changes
         is looked up.
 
       - PageTemplate/ZRPythonExpr.py: expressions represented as unicode string
-        caused UnicodeDecodeErrors. 
+        caused UnicodeDecodeErrors.
 
-      - PluginIndexes: Fixed 'parseIndexRequest' for false values. 
+      - PluginIndexes: Fixed 'parseIndexRequest' for false values.
 
       - Collector #2269: fixed broken ZPT FTP support
 
@@ -190,6 +190,9 @@ Zope Changes
 
       - Collector #2187: PUT_factory broken (fwd port from 2.10 branch).
 
+      - Prevent ZPublisher from insering incorrect <base/> tags into the
+        headers of plain html files served from Zope3 resource directories.
+
     Other Changes
 
       - Disabled docutils file inclusion completely, rather than trying

lib/python/Products/Five/browser/resource.py

@@ -61,6 +61,9 @@ class PageTemplateResource(BrowserView, Resource):
 
     def render(self):
         """Rendered content"""
+        # ZPublisher might have called setBody with an incorrect URL
+        # we definitely don't want that if we are plain html
+        self.request.RESPONSE.setBase(None)
         pt = self.context
         return pt(self.request)
 

lib/python/Products/Five/browser/tests/resource_ftest.txt

@@ -78,6 +78,33 @@ We also can traverse into sub-directories:
   <BLANKLINE>
 
 
+We also can traverse into sub-directories:
+
+  >>> print http(r'''
+  ... GET /test_folder_1_/testoid/++resource++fivetest_resources/resource_subdir/resource.txt HTTP/1.1
+  ... Authorization: Basic manager:r00t
+  ... ''')
+  HTTP/1.1 200 OK
+  ...
+  This is a resource in a subdirectory of a normal resource to test traversal.
+  <BLANKLINE>
+
+  >>> print http(r'''
+  ... GET /test_folder_1_/testoid/++resource++fivetest_resources/resource_subdir/resource.html HTTP/1.1
+  ... Authorization: Basic manager:r00t
+  ... ''')
+  HTTP/1.1 200 OK
+  ...
+  <html>
+      <head>
+      </head>
+      <body>
+          This .html should not have a base tag automatically
+          added to the header.
+      </body>
+  </html>
+  <BLANKLINE>
+
 Clean up
 --------
 

lib/python/Products/Five/browser/tests/resource_subdir/resource.html

+<html>
+    <head>
+    </head>
+    <body>
+        This .html should not have a base tag automatically
+        added to the header.
+    </body>
+</html>