From 363ef913627656d300b91ba2b7867c913bd47a2b Mon Sep 17 00:00:00 2001
From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Tue, 12 Jan 2010 05:18:41 +0000
Subject: [PATCH] include some additional docs

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4424 57a73879-2fb5-44c3-a270-3262357dd7e2
---
 doc/upgrading.txt | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/doc/upgrading.txt b/doc/upgrading.txt
index 1a461d3..fea0086 100644
--- a/doc/upgrading.txt
+++ b/doc/upgrading.txt
@@ -22,6 +22,25 @@ permissions from the default distribution, you should check that
 "Create" permissions exist for all properties you want users to be able
 to create.
 
+Fixing some potential security holes
+------------------------------------
+
+Some HTML templates were found to have formatting security problems:
+
+``html/page.html``::
+
+  -tal:replace="request/user/username">username</span></b><br>
+  +tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
+
+``html/_generic.help-list.html``::
+
+  -tal:content="structure python:item[prop]"></label>
+  +tal:content="python:item[prop]"></label>
+
+The lines marked "+" should be added and lines marked "-" should be
+deleted (minus the "+"/"-" signs).
+
+
 Migrating from 1.4.x to 1.4.11
 ==============================
 
@@ -68,6 +87,12 @@ assign it to the Anonymous role (replacing any previously assigned
 The lines marked "+" should be added and lines marked "-" should be
 deleted (minus the "+"/"-" signs).
 
+You should also modify the ``html/page.py`` template to change the
+permission tested there::
+
+   -tal:condition="python:request.user.hasPermission('Create', 'user')"
+   +tal:condition="python:request.user.hasPermission('Register', 'user')"
+
 
 Generic class editor may now restore retired items
 --------------------------------------------------
-- 
2.30.2