- Timestamp:
- 2014-03-13T14:34:48+13:00 (10 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp
r24895 r28888 36 36 #include "gsdltimes.h" 37 37 #include "OIDtools.h" 38 #include "securitytools.h" 38 39 #include <assert.h> 39 40 #include <time.h> … … 1485 1486 compressedoptions = to_uni(compressedoptions); 1486 1487 } 1487 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dm_safe(compressedoptions)); 1488 1489 text_t dmacrovalue = dm_safe(compressedoptions); 1490 disp.setmacro ("decodedcompressedoptions", displayclass::defaultpackage, dmacrovalue); 1491 disp.setmacro ("decodedcompressedoptionsAttrsafe", displayclass::defaultpackage, encodeForHTMLAttr(dmacrovalue)); 1488 1492 1489 1493 #if defined (__WIN32__) … … 1495 1499 cgiargsclass::const_iterator argsend = args.end(); 1496 1500 while (argshere != argsend) { 1501 1502 text_t macrovalue = (*argshere).second.value; // and stays like that if ((*argshere).first == "hp") 1503 1497 1504 if (((*argshere).first == "q") || 1498 1505 ((*argshere).first == "qa") || … … 1502 1509 ((*argshere).first == "qpl") || 1503 1510 ((*argshere).first == "qr") || 1504 ((*argshere).first == "q2")) 1511 ((*argshere).first == "q2")) { 1512 1505 1513 // need to escape special characters from query string 1506 disp.setmacro ("cgiarg" + (*argshere).first, 1507 displayclass::defaultpackage, html_safe((*argshere).second.value)); 1508 else if ((*argshere).first == "hp") { 1509 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, (*argshere).second.value); 1510 } else { 1511 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, dm_safe((*argshere).second.value)); 1512 } 1514 macrovalue = html_safe(macrovalue); 1515 1516 } else if ((*argshere).first == "hp") { 1517 if(!isValidURLProtocol(macrovalue)) { 1518 macrovalue = encodeForURL(macrovalue); // URL has invalid protocol like javascript:, so URL encode it 1519 } 1520 } 1521 else { 1522 macrovalue = dm_safe(macrovalue); 1523 } 1524 1525 // set the default value for the macro 1526 disp.setmacro ("cgiarg" + (*argshere).first, displayclass::defaultpackage, macrovalue); 1527 1528 // set macros for the encoded versions of the same value. Uses the functions in securitytools.h 1529 // https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 1530 1531 text_t htmlsafe = encodeForHTML(macrovalue); 1532 text_t attrsafe = encodeForHTMLAttr(macrovalue); 1533 text_t urlsafe = encodeForURL(macrovalue); 1534 text_t jssafe = encodeForJavascript(macrovalue); 1535 text_t csssafe = encodeForCSS(macrovalue); 1536 1537 disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe); 1538 disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe); 1539 disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe); 1540 disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe); 1541 disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 1542 1543 1513 1544 ++argshere; 1514 1545 }
Note:
See TracChangeset
for help on using the changeset viewer.