Context Navigation

← Previous Change
Next Change →

usability.dm

Timestamp:

2014-03-13T14:34:48+13:00 (10 years ago)

Author:

ak19

Message:

First security commit. 1. Introducing the new securitools.h and .cpp files, which port the functions necessary to implement security in Greenstone from OWASP-ESAPI for Java, since OWASP's C++ version is largely not yet implemented, even though their code compiles. The newly added runtime-src/packages/security which contains OWASP ESAPI for C++ will therefore be removed again shortly. 2. receptionist.cpp now sets various web-encoded variants for each cgiarg macro, such as HTML entity encoded, attr encoded, javascript encoded (and css encoded variants). These are now used in the macro files based on which variant is suited to the context. 3. This commit further contains the minimum changes to protect the c, d, and p cgi variables.

File:

: 1 edited

main/trunk/greenstone2/macros/usability.dm (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

main/trunk/greenstone2/macros/usability.dm

-              r12180
+              r28888
 function failnicely(message,usabwindow)\{
   var errhtml='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">';
   errhtml+='<head><title>_greenstoneusabilitytext__texterror_</title><meta http-equiv="Content-Type" content="text/html; charset=_cgiargw_"></head><body bgcolor="#FFFFFF">';
+  errhtml+='<head><title>_greenstoneusabilitytext__texterror_</title><meta http-equiv="Content-Type" content="text/html; charset=_cgiargwJssafe_"></head><body bgcolor="#FFFFFF">';
   errhtml+='_usabbanner_';
   errhtml+=message;
 …
   //need a character type for valid html
   winhtml+='<meta http-equiv="Content-Type" content="text/html; charset=_cgiargw_"></head><body bgcolor=\"#FFFFFF\">';
+  winhtml+='<meta http-equiv="Content-Type" content="text/html; charset=_cgiargwJssafe_"></head><body bgcolor=\"#FFFFFF\">';
   //get the location of the cgi program
 …
   winhtml+=('<input type="hidden" name="opentime" value="'+(new Date()).toString()+'">');
   winhtml+=('<input type="hidden" name="sendtime" value="None">');
   winhtml+=('<input type="hidden" name="collection" value="_cgiargc_">');
+  winhtml+=('<input type="hidden" name="collection" value="_cgiargcJssafe_">');
   if(document.getElementsByTagName)\{
    //get interface variables

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 28888 for main/trunk/greenstone2/macros/usability.dm

Legend:

main/trunk/greenstone2/macros/usability.dm

Download in other formats: