- HTTPResponse.py:  CGI escapes (merged from 2.6 / 2.7 audit).

  - xmlrpc.py:  Exclude "private" attributes when marshalling an instance
    as an XML-RPC dict (merged from 2.6 / 2.7 audit).

lib/python/ZPublisher/HTTPResponse.py

@@ -12,8 +12,8 @@
 ##############################################################################
 '''CGI Response Output formatter
 
-$Id: HTTPResponse.py,v 1.78 2003/12/26 23:48:18 jeremy Exp $'''
-__version__ = '$Revision: 1.78 $'[11:-2]
+$Id: HTTPResponse.py,v 1.79 2004/01/15 23:02:08 tseaver Exp $'''
+__version__ = '$Revision: 1.79 $'[11:-2]
 
 import types, os, sys, re
 import zlib, struct
@@ -461,7 +461,8 @@ class HTTPResponse(BaseResponse):
                     ibase = base_re_search(body)
                     if ibase is None:
                         self.body = ('%s\n<base href="%s" />\n%s' %
-                                   (body[:index], self.base, body[index:]))
+                                   (body[:index], self.quoteHTML(self.base),
+                                    body[index:]))
                         self.setHeader('content-length', len(self.body))
 
     def appendCookie(self, name, value):

lib/python/ZPublisher/xmlrpc.py

@@ -100,6 +100,16 @@ class Response:
             # Convert Fault object to XML-RPC response.
             body=xmlrpclib.dumps(body, methodresponse=1)
         else:
+            if type(body) == InstanceType:
+                # Avoid disclosing private members. Private members are
+                # by convention named with a leading underscore char.
+                orig = body.__dict__
+                dict = {}
+                for key in orig.keys():
+                    if key[:1] != '_':
+                        dict[key] = orig[key]
+                body = dict
+
             # Marshall our body as an XML-RPC response. Strings will be sent
             # strings, integers as integers, etc. We do *not* convert
             # everything to a string first.