Merge pull request #68 from zopefoundation/apply-plone-hotfix-20160830-master

Quote variable in manage_tabs to avoid XSS [master]

CHANGES.rst

@@ -11,6 +11,9 @@ https://zope.readthedocs.io/en/2.13/CHANGES.html
 Bugs Fixed
 ++++++++++
 
+- Quote variable in manage_tabs to avoid XSS.
+  From Products.PloneHotfix20160830.  [maurits]
+
 - Remove more HelpSys references.
 
 Features Added

src/App/dtml/manage_tabs.dtml

@@ -38,8 +38,8 @@
 <dtml-in manage_options mapping>
 <dtml-let s_item=sequence-item s_index=sequence-index>
 <dtml-if "s_index==a_">
-  <td bgcolor="#ffffff" valign="bottom" class="tab-small" 
-   align="center"><font face="Verdana, Arial, Helvetica" 
+  <td bgcolor="#ffffff" valign="bottom" class="tab-small"
+   align="center"><font face="Verdana, Arial, Helvetica"
    size="1" color="#000000">&nbsp;<a <dtml-if "s_item.get('action')"
    >href="&dtml-action;"<dtml-else
    >href="<dtml-var "REQUEST.URL1" html_quote>"</dtml-if
@@ -47,8 +47,8 @@
    >><span style="color: #000000;"><strong><dtml-var "s_item['label']"
    ></strong></span></a>&nbsp;</font></td>
 <dtml-else>
-  <td bgcolor="#efefef" valign="bottom" class="tab-small" 
-   align="center"><font face="Verdana, Arial, Helvetica" 
+  <td bgcolor="#efefef" valign="bottom" class="tab-small"
+   align="center"><font face="Verdana, Arial, Helvetica"
    size="1" color="#000000">&nbsp;<a <dtml-if "s_item.get('action')"
    >href="&dtml-action;"<dtml-else
    >href="<dtml-var "REQUEST.URL1" html_quote>"</dtml-if
@@ -82,7 +82,7 @@
       &dtml-meta_type;
     <dtml-else>
     Object
-    </dtml-if> 
+    </dtml-if>
     at <dtml-var expr="tabs_path_default(REQUEST)">
     </strong>
     <dtml-if wl_isLocked>
@@ -97,7 +97,7 @@
 
 <dtml-if manage_tabs_message>
 <div class="system-msg">
-<dtml-var manage_tabs_message newline_to_br> 
+<dtml-var manage_tabs_message newline_to_br html_quote>
 (<dtml-var ZopeTime fmt="%Y-%m-%d %H:%M">)
 </div>
 </dtml-if>