Fixed reflective XSS in findResult.

This applies PloneHotfix20170117.

Fixed reflective XSS in findResult.
This applies PloneHotfix20170117.
e130ee11 · Maurits van Rees · 4223f551 · e130ee11 · e130ee11
Commit e130ee11 authored Jan 17, 2017 by Maurits van Rees
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

doc/CHANGES.rst doc/CHANGES.rst +2 -0

src/OFS/dtml/findResult.dtml src/OFS/dtml/findResult.dtml +1 -1

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
 2.13.26 (unreleased)
 --------------------

+- Fixed reflective XSS in findResult.
+  This applies PloneHotfix20170117.  [maurits]


 2.13.25 (2017-01-13)

--- a/src/OFS/dtml/findResult.dtml
+++ b/src/OFS/dtml/findResult.dtml
@@ -128,7 +128,7 @@ your search terms below.
  </div>
  </TD>
  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])">">
+  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])" html_quote>">
  </TD>
 </TR>