root/main/trunk/greenstone2/runtime-src/src/recpt/securitytools.h @ 28898

Revision 28898, 1.8 KB (checked in by ak19, 4 years ago)

1. The cgiargq query variable is now no longer escaped in the 3 simply or large forms that use it. fqv and other js escaped fields are unchanged, since the jssafe now ensures that backslashes are escaped for macro files, so these resolve correctly in query.dm. 2. securitytools.cpp and .h updated to additionally escape back slashes for macro files when javascript escaping. This is done by default, since jssafe variants of cgiargs are all that are used, and they're used in macro files. 3. Encoded versions of decodedcompressedoptions are now used in all macro files. They're always used in attributes, so the attrsafe version which is set in receptionist.cpp is used.

Line 
1#ifndef SECURITYTOOLS_H
2#define SECURITYTOOLS_H
3
4#include "text_t.h"
5
6// enums start numbering at 0 unless otherwise specified
7enum SQLMode { STANDARD, ANSI }; // public static enum Mode { ANSI(1),STANDARD(0); ...}
8
9
10// two bytes
11static const text_t REPLACEMENT_HEX = "fffd";
12//static const unsigned short REPLACEMENT_CHAR = '\ufffd';
13static const text_t IMMUNE_CSS = "";
14static const text_t IMMUNE_HTML = ",.-_ ";
15static const text_t IMMUNE_HTMLATTR = ",.-_";
16static const text_t IMMUNE_JAVASCRIPT = ",._";
17static const text_t IMMUNE_URL = "*.-_"; // See http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
18static const text_t IMMUNE_SQL = " ";
19
20
21// a very simple version of esapi's Validator.isValidInput()
22bool isValidURLProtocol(const text_t& url);
23
24// String conversion
25text_t encodeForHTML(const text_t& input, const text_t& immuneChars=IMMUNE_HTML);
26text_t encodeForURL(const text_t& input, const text_t& immuneChars=IMMUNE_URL);
27text_t encodeForJavascript(const text_t& input, const text_t& immuneChars=IMMUNE_JAVASCRIPT, bool dmsafe=true);
28text_t encodeForHTMLAttr(const text_t& input, const text_t& immuneChars=IMMUNE_HTMLATTR);
29text_t encodeForCSS(const text_t& input, const text_t& immuneChars=IMMUNE_CSS);
30text_t encodeForMySQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD);
31
32// Character conversions
33text_t encodeForHTML(const text_t& immuneChars, const unsigned short input);
34text_t encodeForURL(const text_t& immuneChars, const unsigned short input);
35text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input, bool dmsafe);
36text_t encodeForCSS(const text_t& immuneChars, const unsigned short input);
37text_t encodeForMySQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode);
38
39
40#endif
Note: See TracBrowser for help on using the browser.