Mercurial > p > roundup > code
diff doc/upgrading.txt @ 4320:1072574dab86
include some additional docs
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Tue, 12 Jan 2010 05:18:41 +0000 |
| parents | 05d3f47003fc |
| children | f11b38b91c99 |
line wrap: on
line diff
--- a/doc/upgrading.txt Mon Jan 11 20:49:46 2010 +0000 +++ b/doc/upgrading.txt Tue Jan 12 05:18:41 2010 +0000 @@ -22,6 +22,25 @@ "Create" permissions exist for all properties you want users to be able to create. +Fixing some potential security holes +------------------------------------ + +Some HTML templates were found to have formatting security problems: + +``html/page.html``:: + + -tal:replace="request/user/username">username</span></b><br> + +tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br> + +``html/_generic.help-list.html``:: + + -tal:content="structure python:item[prop]"></label> + +tal:content="python:item[prop]"></label> + +The lines marked "+" should be added and lines marked "-" should be +deleted (minus the "+"/"-" signs). + + Migrating from 1.4.x to 1.4.11 ============================== @@ -68,6 +87,12 @@ The lines marked "+" should be added and lines marked "-" should be deleted (minus the "+"/"-" signs). +You should also modify the ``html/page.py`` template to change the +permission tested there:: + + -tal:condition="python:request.user.hasPermission('Create', 'user')" + +tal:condition="python:request.user.hasPermission('Register', 'user')" + Generic class editor may now restore retired items --------------------------------------------------