Merge pull request #86 from zopefoundation/apply-plonehotfix-20170717-213

Apply plonehotfix 20170717 [2.13]

Merge pull request #86 from zopefoundation/apply-plonehotfix-20170717-213
Apply plonehotfix 20170717 [2.13]
554c81bc · Tres Seaver · GitHub · c668b3ef · e130ee11 · 554c81bc
Commit 554c81bc authored Jan 17, 2017 by Tres Seaver Committed by GitHub Jan 17, 2017
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 21 deletions

doc/CHANGES.rst doc/CHANGES.rst +2 -0

src/OFS/dtml/findResult.dtml src/OFS/dtml/findResult.dtml +21 -21

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
 2.13.26 (unreleased)
 --------------------

+- Fixed reflective XSS in findResult.
+  This applies PloneHotfix20170117.  [maurits]


 2.13.25 (2017-01-13)

--- a/src/OFS/dtml/findResult.dtml
+++ b/src/OFS/dtml/findResult.dtml
@@ -128,7 +128,7 @@ your search terms below.
  </div>
  </TD>
  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])">">
+  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])" html_quote>">
  </TD>
 </TR>