Log message for revision 108033: Backport fix for LP #490514: preserve tainting when calling into DTML from ZPT.
Changed: U Zope/branches/2.9/doc/CHANGES.txt U Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py U Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py -=- Modified: Zope/branches/2.9/doc/CHANGES.txt =================================================================== --- Zope/branches/2.9/doc/CHANGES.txt 2010-01-11 21:33:47 UTC (rev 108032) +++ Zope/branches/2.9/doc/CHANGES.txt 2010-01-11 21:36:17 UTC (rev 108033) @@ -6,6 +6,8 @@ Zope 2.9.12 (2010/01/12) + - LP #490514: preserve tainting when calling into DTML from ZPT. + - LP #491224: proper escaping of rendered error message Zope 2.9.11 (2009/08/06) Modified: Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py =================================================================== --- Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py 2010-01-11 21:33:47 UTC (rev 108032) +++ Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py 2010-01-11 21:36:17 UTC (rev 108033) @@ -66,6 +66,8 @@ this = ns.get('context', ns.get('here')) td.this = this request = ns.get('request', {}) + if hasattr(request, 'taintWrapper'): + request = request.taintWrapper() td._push(request) td._push(InstanceDict(td.this, td)) td._push(ns) Modified: Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py =================================================================== --- Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py 2010-01-11 21:33:47 UTC (rev 108032) +++ Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py 2010-01-11 21:36:17 UTC (rev 108033) @@ -39,6 +39,18 @@ result = call_with_ns(_find_request, names) self.assertEqual(result, {}) + + def test_call_with_request_preserves_tainting(self): + from Products.PageTemplates.ZRPythonExpr import call_with_ns + class Request(dict): + def taintWrapper(self): + return {'tainted': 'found'} + context = ['context'] + here = ['here'] + names = {'context' : context, 'here': here, 'request' : Request()} + + found = call_with_ns(lambda td: td['tainted'], names) + self.assertEqual(found, 'found') def test_suite(): return unittest.makeSuite(MiscTests) _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins