Brian Lloyd writes:

 > If you or Hajime can send me a patch against the current 2.7 
 > branch, I'll make sure they get in before the beta is cut (or if 
 > either of you are committers it is also fine to checkin yourselves 
 > to the Zope-2_7-branch and head and let me know when its done).

Here is a patch that solves the issue with "manage_page_charset" not
beeing called if it is a method instead of a string-valued attribute:

Index: lib/python/App/dtml/manage_page_header.dtml
===================================================================
RCS file: /cvs-repository/Zope/lib/python/App/dtml/manage_page_header.dtml,v
retrieving revision 1.12
diff -w -u -r1.12 manage_page_header.dtml
--- lib/python/App/dtml/manage_page_header.dtml 22 Dec 2002 17:53:57 -0000      1.12
+++ lib/python/App/dtml/manage_page_header.dtml 15 Jan 2004 17:17:50 -0000
@@ -5,7 +5,7 @@
 <dtml-call "REQUEST.set('management_page_charset','iso-8859-1')">
 </dtml-unless>
 <meta http-equiv="content-type" 
content="text/html;charset=&dtml-management_page_charset;">
-<dtml-call 
"RESPONSE.setHeader('content-type','text/html;charset='+management_page_charset)">
+<dtml-call 
"RESPONSE.setHeader('content-type','text/html;charset='+_.render(management_page_charset))">
 <title><dtml-if title>&dtml-title;</dtml-if></title>
 <dtml-let ag="REQUEST.get('HTTP_USER_AGENT', '')"
      is_nav4="ag[:9] == 'Mozilla/4' and _.string.find(ag, 'MSIE') < 0"


 I have not found any bad side effects after the patch, but I am not
very experienced with the soemwhat arcane DTML hacks, so it would be nice
if someone else does some testing with it.

 At least it fulfills the requirements that manage_page_charset is
called if it is callable, and thus recovers Formulator.

 What I am not certain about is if this reopens some XSS-security holes
the original change intended to close. However as long as one does not
have an utterly broken "manage_page_charset" method I cannot see why
this should happen.

 Oh, I see Martijn already responded to the posting, so its maybe
superfluous anyway.

Cheers,
Clemens

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to