This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Smith wrote: launchpadlibrar ian.net/ 36268764/ xss_in_ zope.jpg
> ** Attachment added: "Screenshot of the problem"
> http://
>
> ** Visibility changed to: Public
>
status confirmed
assigned tseaver
This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::
<h1 tal:replace= "structure here/manage_ page_header" >HEADER< /h1> "structure here/manage_ tabs">TABS< /h1> "structure here/manage_ page_footer" >FOOTER< /h1>
<h1 tal:replace=
...
<h1 tal:replace=
In this case, the code in the call_with_ns function (in PageTemplates. ZRPythonExpr) fails to ensure that "tainting"
Products.
is preserved.
The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAks UUGoACgkQ+ gerLs4ltQ7OzQCb BZ/WTM0C5kfRmEn YzxnIu4ns ek1De5H51HmCN2c ux
Bd4AoNtahkj6k9X
=yIGq
-----END PGP SIGNATURE-----