Quote variables in manage_tabs and manage_container to avoid XSS.

From Products.PloneHotfix20160830.

Quote variables in manage_tabs and manage_container to avoid XSS.
From Products.PloneHotfix20160830.
39d6f9fb · Maurits van Rees · e0a09da0 · 39d6f9fb · 39d6f9fb · 39d6f9fb
Commit 39d6f9fb authored Sep 07, 2016 by Maurits van Rees
3 changed files
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
 2.13.25 (unreleased)
 --------------------

+- Quote variables in manage_tabs and manage_container to avoid XSS.
+  From Products.PloneHotfix20160830.  [maurits]
+
 - Add a dependency on the empty `Products.TemporaryFolder` project.

 - Add a dependency on the empty `Products.Sessions` project.

--- a/src/App/dtml/manage_tabs.dtml
+++ b/src/App/dtml/manage_tabs.dtml
@@ -156,7 +156,7 @@

 <dtml-if manage_tabs_message>
 <div class="system-msg">
-<dtml-var manage_tabs_message newline_to_br>
+<dtml-var manage_tabs_message newline_to_br html_quote>
 (<dtml-var ZopeTime fmt="%Y-%m-%d %H:%M">)
 </div>
 </dtml-if>

--- a/src/Products/Transience/dtml/manageTransientObjectContainer.dtml
+++ b/src/Products/Transience/dtml/manageTransientObjectContainer.dtml
@@ -38,7 +38,7 @@ Transient data will persist, but only for a user-specified period of time
    </div>
  </td>
  <td align="left" valign="top">
-    <input type="text" name="title" size=30 value="&dtml-title;">
+    <input type="text" name="title" size=30 value='<dtml-var name="title" html_quote>'>
  </td>
 </tr>
 <tr>
@@ -52,7 +52,7 @@ Transient data will persist, but only for a user-specified period of time
  </td>
  <td align="left" valign="top">
    <input type="text" name="timeout_mins:int" size=10
-     value=&dtml-getTimeoutMinutes;>
+           value='<dtml-var name="getTimeoutMinutes" html_quote>'>
  </td>
 </tr>

@@ -72,7 +72,7 @@ Transient data will persist, but only for a user-specified period of time
  </td>
  <td align="left" valign="top">
    <input type="text" name="period_secs:int" size=10
-     value=&dtml-getPeriodSeconds;>
+      value='<dtml-var name="getPeriodSeconds" html_quote>'>
  </td>
 </tr>

@@ -87,7 +87,7 @@ Transient data will persist, but only for a user-specified period of time
  </td>
  <td align="left" valign="top">
    <input type="text" name="limit:int" size=10
-     value=&dtml-getSubobjectLimit;>
+      value='<dtml-var name="getSubobjectLimit" html_quote>'>
  </td>
 </tr>

@@ -102,7 +102,7 @@ Transient data will persist, but only for a user-specified period of time
  </td>
  <td align="left" valign="top">
     <input type="text" name="addNotification"
-     	value="&dtml-getAddNotificationTarget;" size=40>
+       value='<dtml-var name="getAddNotificationTarget" html_quote>' size=40>
  </td>
 </tr>

@@ -117,7 +117,7 @@ Transient data will persist, but only for a user-specified period of time
  </td>
  <td align="left" valign="top">
     <input type="text" name="delNotification"
-     	value="&dtml-getDelNotificationTarget;" size=40>
+      value='<dtml-var name="getDelNotificationTarget" html_quote>' size=40>
  </td>
 </tr>