Changeset 28888 for main/trunk/greenstone2/runtime-src/src
- Timestamp:
- 2014-03-13T14:34:48+13:00 (10 years ago)
- Location:
- main/trunk/greenstone2/runtime-src/src/recpt
- Files:
-
- 2 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone2/runtime-src/src/recpt/Makefile.in
r28760 r28888 155 155 APACHE_MODULE = 156 156 endif 157 157 158 158 159 # Extension support … … 229 230 $(RSS_SOURCES) \ 230 231 statusaction.cpp \ 232 securitytools.cpp \ 231 233 summarise.cpp \ 232 234 tipaction.cpp \ … … 278 280 $(RSS_OBJECTS) \ 279 281 statusaction.o \ 282 securitytools.o \ 280 283 summarise.o \ 281 284 tipaction.o \ -
main/trunk/greenstone2/runtime-src/src/recpt/action.h
r16310 r28888 34 34 #include "recptproto.h" 35 35 #include "browserclass.h" 36 #include "securitytools.h" 36 37 37 38 #if defined(GSDL_USE_OBJECTSPACE) -
main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp
r27065 r28888 651 651 652 652 // Display the "this collection is not installed on this system" page 653 disp.setmacro("cvariable", displayclass::defaultpackage, collection);653 disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(collection)); 654 654 disp.setmacro("content", "query", "<p>_textbadcollection_<p>"); 655 655 -
main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp
r28841 r28888 44 44 45 45 // set to false to undo security changes (url-encoding arguments) 46 static bool do_safe_cgi_args = true;46 static bool do_safe_cgi_args = false; 47 47 48 48 static unsigned short hexdigit (unsigned short c) { -
main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp
r23058 r28888 751 751 if (arg_p == "about") { 752 752 if (cinfo == NULL) { 753 disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);753 disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c)); 754 754 disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>"); 755 755 return; … … 797 797 798 798 if (cinfo == NULL) { 799 disp.setmacro("cvariable", displayclass::defaultpackage, arg_c);799 disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(arg_c)); 800 800 disp.setmacro("content", arg_p, "<p>_textbadcollection_<p>"); 801 801 return; … … 1009 1009 text_t &arg_p = args["p"]; 1010 1010 1011 textout << outconvert << disp << ("_" + arg_p+ ":header_\n")1012 << ("_" + arg_p+ ":content_\n")1013 << ("_" + arg_p+ ":footer_\n");1011 textout << outconvert << disp << ("_" + encodeForHTML(arg_p) + ":header_\n") 1012 << ("_" + encodeForHTML(arg_p) + ":content_\n") 1013 << ("_" + encodeForHTML(arg_p) + ":footer_\n"); 1014 1014 1015 1015 return true; -
main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp
r28841 r28888 1010 1010 1011 1011 // Display the "this collection is not installed on this system" page 1012 disp.setmacro("cvariable", displayclass::defaultpackage, main_collection);1012 disp.setmacro("cvariable", displayclass::defaultpackage, encodeForHTML(main_collection)); 1013 1013 disp.setmacro("content", "query", "<p>_textbadcollection_<p>"); 1014 1014 … … 1394 1394 } 1395 1395 1396 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 1396 text_t macrovalue = dm_safe(compressedoptions); 1397 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, macrovalue); 1398 disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(macrovalue)); 1399 1397 1400 } 1398 1401 } // form search -
main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp
r24895 r28888 36 36 #include "gsdltimes.h" 37 37 #include "OIDtools.h" 38 #include "securitytools.h" 38 39 #include <assert.h> 39 40 #include <time.h> … … 1485 1486 compressedoptions = to_uni(compressedoptions); 1486 1487 } 1487 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 1488 1489 text_t dmacrovalue = dm_safe(compressedoptions); 1490 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue); 1491 disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue)); 1488 1492 1489 1493 #if defined (__WIN32__) … … 1495 1499 cgiargsclass::const_iterator argsend = args.end(); 1496 1500 while (argshere != argsend) { 1501 1502 text_t macrovalue = (*argshere).second.value; // and stays like that if ((*argshere).first == "hp") 1503 1497 1504 if (((*argshere).first == "q") || 1498 1505 ((*argshere).first == "qa") || … … 1502 1509 ((*argshere).first == "qpl") || 1503 1510 ((*argshere).first == "qr") || 1504 ((*argshere).first == "q2")) 1511 ((*argshere).first == "q2")) { 1512 1505 1513 // need to escape special characters from query string 1506 disp.setmacro ("cgiarg" + (*argshere).first, 1507 displayclass::defaultpackage, html_safe((*argshere).second.value)); 1508 else if ((*argshere).first == "hp") { 1509 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, (*argshere).second.value); 1510 } else { 1511 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, dm_safe((*argshere).second.value)); 1512 } 1514 macrovalue = html_safe(macrovalue); 1515 1516 } else if ((*argshere).first == "hp") { 1517 if(!isValidURLProtocol(macrovalue)) { 1518 macrovalue = encodeForURL(macrovalue); // URL has invalid protocol like javascript:, so URL encode it 1519 } 1520 } 1521 else { 1522 macrovalue = dm_safe(macrovalue); 1523 } 1524 1525 // set the default value for the macro 1526 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, macrovalue); 1527 1528 // set macros for the encoded versions of the same value. Uses the functions in securitytools.h 1529 // https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 1530 1531 text_t htmlsafe = encodeForHTML(macrovalue); 1532 text_t attrsafe = encodeForHTMLAttr(macrovalue); 1533 text_t urlsafe = encodeForURL(macrovalue); 1534 text_t jssafe = encodeForJavascript(macrovalue); 1535 text_t csssafe = encodeForCSS(macrovalue); 1536 1537 disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe); 1538 disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe); 1539 disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe); 1540 disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe); 1541 disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 1542 1543 1513 1544 ++argshere; 1514 1545 } -
main/trunk/greenstone2/runtime-src/src/recpt/sqlqueryaction.cpp
r28841 r28888 309 309 compressedoptions = to_uni(compressedoptions); 310 310 } 311 312 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 311 312 text_t dmacrovalue = dm_safe(compressedoptions); 313 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue); 314 disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue)); 313 315 } 314 316 } // form search … … 317 319 logout << "ERROR (sqlqueryaction::get_formatted_query_string): querytype not defined\n"; 318 320 } 319 320 321 322 323 321 324 322 }
Note:
See TracChangeset
for help on using the changeset viewer.