Index: openacs-4/packages/xowiki/xowiki.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/xowiki.info,v
diff -u -r1.180.2.91 -r1.180.2.92
--- openacs-4/packages/xowiki/xowiki.info	23 Mar 2022 20:37:16 -0000	1.180.2.91
+++ openacs-4/packages/xowiki/xowiki.info	25 Mar 2022 10:13:47 -0000	1.180.2.92
@@ -10,7 +10,7 @@
     <inherit-templates-p>t</inherit-templates-p>
     <auto-mount>xowiki</auto-mount>
 
-    <version name="5.10.1d22" url="http://openacs.org/repository/download/apm/xowiki-5.10.1d22.apm">
+    <version name="5.10.1d23" url="http://openacs.org/repository/download/apm/xowiki-5.10.1d23.apm">
 	<owner url="mailto:neumann@wu-wien.ac.at">Gustaf Neumann</owner>
 	<summary>A xotcl-based enterprise wiki system with multiple object types</summary>
 	<release-date>2021-09-15</release-date>
@@ -55,8 +55,8 @@
 	<license>BSD-Style</license>
 	<maturity>2</maturity>
 
-	<provides url="xowiki" version="5.10.1d22"/>
-	<requires url="xotcl-core" version="5.10.1d6"/>
+	<provides url="xowiki" version="5.10.1d23"/>
+	<requires url="xotcl-core" version="5.10.1d7"/>
 	<requires url="acs-datetime" version="5.9.1"/>
 	<requires url="acs-kernel" version="5.10.0"/>
 	<requires url="acs-tcl" version="5.10.1d12"/>
Index: openacs-4/packages/xowiki/tcl/package-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/package-procs.tcl,v
diff -u -r1.332.2.110 -r1.332.2.111
--- openacs-4/packages/xowiki/tcl/package-procs.tcl	15 Mar 2022 12:01:52 -0000	1.332.2.110
+++ openacs-4/packages/xowiki/tcl/package-procs.tcl	25 Mar 2022 10:13:47 -0000	1.332.2.111
@@ -2788,11 +2788,13 @@
   } {
     set object_type [:query_parameter object_type:class "::xowiki::Page"]
     set autoname [:get_parameter autoname 0]
-    set parent_id [${:id} query_parameter parent_id:int32 ""]
-    if {$parent_id eq ""} {set parent_id [${:id} form_parameter folder_id ${:folder_id}]}
-    if {![string is integer -strict $parent_id]} {
-      ad_return_complaint 1 "invalid parent_id"
-      ad_script_abort
+    set parent_id [${:id} query_parameter parent_id:cr_item_of_package,arg=${:id}]
+    if {$parent_id eq ""} {
+      set parent_id [${:id} form_parameter folder_id ${:folder_id}]
+      if {![::xo::db::CrClass id_belongs_to_package -item_id $parent_id -package_id ${:id}]} {
+        ad_return_complaint 1 "invalid parent_id"
+        ad_script_abort
+      }
     }
     set page [$object_type new -volatile -parent_id $parent_id -package_id ${:id}]
     # :ds "parent_id of $page = [$page parent_id], cl=[$page info class] parent_id=$parent_id\n[$page serialize]"
Index: openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl,v
diff -u -r1.368.2.115 -r1.368.2.116
--- openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	15 Mar 2022 12:01:53 -0000	1.368.2.115
+++ openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	25 Mar 2022 10:13:47 -0000	1.368.2.116
@@ -304,11 +304,21 @@
     # parent_id has priority over the other measures to obtain it.
     #
     if {$parent_id == 0} {
-      if {![info exists :parent_id]} {:parent_id [::${:package_id} folder_id]}
+      if {![info exists :parent_id]} {
+        set :parent_id [::${:package_id} folder_id]
+      }
       set fp_parent_id [:form_parameter "parent_id" [:query_parameter parent_id:int32 ${:parent_id}]]
     } else {
       set fp_parent_id $parent_id
     }
+    #
+    # Allow only inserts to own package.
+    #
+    if {![::xo::db::CrClass id_belongs_to_package -item_id $fp_parent_id -package_id ${:package_id}]} {
+      ad_return_complaint 1 "invalid parent_id"
+      ad_script_abort
+    }
+
     # In case the Form is inherited and package_id was not specified, we
     # use the actual package_id.
     set fp_package_id [:form_parameter "package_id" [:query_parameter package_id:int32 ${:package_id}]]
@@ -1162,7 +1172,7 @@
       } else {
         #
         # We have no validation errors, so we can save the content.
-        #        
+        #
         :save_data \
             -use_given_publish_date [expr {"_publish_date" in $field_names}] \
             [::xo::cc form_parameter __object_name ""] $category_ids
@@ -1213,7 +1223,7 @@
       #
       # Build the input form and display the current values.
       #
-      #:log "form_action is something different: <[:form_parameter __form_action {}]>"      
+      #:log "form_action is something different: <[:form_parameter __form_action {}]>"
       if {[:is_new_entry ${:name}]} {
         set :creator [::xo::get_user_name [::xo::cc user_id]]
         set :nls_language [::${:package_id} default_locale]
@@ -2736,7 +2746,7 @@
     foreach f [concat $form_fields $leaf_components] {
       #:log "check processed $f [$f name] [info exists processed([$f name])] disabled=[$f is_disabled]"
       set att [$f name]
-      
+
       if {![info exists processed($att)]
           && ![$f exists is_repeat_template]
           && ![$f exists disabled]
Index: openacs-4/packages/xowiki/www/admin/import.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/www/admin/import.tcl,v
diff -u -r1.28.2.12 -r1.28.2.13
--- openacs-4/packages/xowiki/www/admin/import.tcl	25 Mar 2022 09:27:17 -0000	1.28.2.12
+++ openacs-4/packages/xowiki/www/admin/import.tcl	25 Mar 2022 10:13:47 -0000	1.28.2.13
@@ -9,14 +9,10 @@
   {-create_user_ids:integer 0}
   {-replace:integer 0}
   {-return_url:localurl ../}
-  {-parent_id:intger 0}
+  {-parent_id:integer 0}
 }
 if {$parent_id ne 0} {
-  set success [::xo::db::CrClass id_belongs_to_package -item_id $parent_id -package_id $package_id]
-    if {!$success} {
-    ad_return_complaint 1 "provided parent_id is invalid"
-    ad_script_abort
-  }
+  set parent_id [::xo::cc query_parameter parent_id:cr_item_of_package,arg=$package_id]
 }
 
 set msg ""