Merge pull request #87 from zopefoundation/apply-plonehotfix-20170717-master

Apply plonehotfix 20170717 [master]

Merge pull request #87 from zopefoundation/apply-plonehotfix-20170717-master
Apply plonehotfix 20170717 [master]
54b7d082 · Tres Seaver · GitHub · d690799f · 812c4176 · 54b7d082
Commit 54b7d082 authored Jan 17, 2017 by Tres Seaver Committed by GitHub Jan 17, 2017
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 20 deletions

CHANGES.rst CHANGES.rst +3 -0

src/OFS/dtml/findResult.dtml src/OFS/dtml/findResult.dtml +20 -20

No files found.
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -11,6 +11,9 @@ https://zope.readthedocs.io/en/2.13/CHANGES.html
 Bugs Fixed
 ++++++++++

+- Fixed reflective XSS in findResult.
+  This applies PloneHotfix20170117.  [maurits]
+
 - Patch zope.interface to remove docstrings and avoid publishing.
  From Products.PloneHotfix20161129.   [maurits]


--- a/src/OFS/dtml/findResult.dtml
+++ b/src/OFS/dtml/findResult.dtml
@@ -124,7 +124,7 @@ your search terms below.
  </div>
  </TD>
  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])">">
+  <INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])" html_quote>">
  </TD>
 </TR>