Changeset 28899 for main/trunk/greenstone2/runtime-src/src/recpt/phindaction.cpp

Timestamp:

2014-03-14T22:46:25+13:00 (10 years ago)

Author:

ak19

Message:

Third commit for security, for ensuring cgiargs macros are websafe. This time all the changes to the runtime action classes.

File:

• main/trunk/greenstone2/runtime-src/src/recpt/phindaction.cpp (modified) (15 diffs)

main/trunk/greenstone2/runtime-src/src/recpt/phindaction.cpp

@@ -152 +152 @@
 
   unsigned long count_l, count_e, count_d;
-  unsigned long phrase = args["ppnum"].getulong();
+  unsigned long phrase = args["ppnum"].getulong(); // needn't encodeFor<web> on vars which have getulong() applied
   text_t &word = args["pptext"];
   unsigned long first_e = args["pfe"].getulong();
@@ -208 +208 @@
     
     if (result.empty()) {
-      output_error("phindaction: The search term ("+word+") does not occur in the collection",
+      output_error("phindaction: The search term ("+encodeForHTML(word)+") does not occur in the collection",
            textout, outconvert, disp, logout, XMLmode);
       return true;
@@ -255 +255 @@
   if (XMLmode) {
     textout << "<phinddata id=\"" << phrase 
-        << "\" text=\"" << word 
+        << "\" text=\"" << encodeForHTMLAttr(word) 
         << "\" tf=\"" << tf 
         << "\" ef=\"" << ef 
@@ -262 +262 @@
         << "\">\n";
   } else {
-    textout << "<html><head><title>" << word << "</title></head>\n"
+    textout << "<html><head><title>" << encodeForHTML(word) << "</title></head>\n"
         << "<body><center>\n"
-        << "<p><h1>" << word << "</h1>\n"
-        << "<p><b>"<< word << "</b> occurs " 
+        << "<p><h1>" << encodeForHTML(word) << "</h1>\n"
+        << "<p><b>"<< encodeForHTML(word) << "</b> occurs " 
         << tf << " times in " << df << " documents\n";
   }
@@ -316 +316 @@
       textout << outconvert << disp 
           << "<br><a href=\"_gwcgi_?"
-          << "c=" << args["c"]
+          << "c=" << encodeForURL(args["c"])
           << "&ppnum=" << phrase 
           << "&pfe=" << first_e 
@@ -328 +328 @@
     textout << outconvert << disp
         << "<br><a href=\"_gwcgi_?"
-        << "c=" << args["c"]
+        << "c=" << encodeForURL(args["c"])
         << "&ppnum=" << phrase 
         << "&pfe=" << first_e 
@@ -379 +379 @@
       textout << outconvert << disp 
           << "<br><a href=\"_gwcgi_?"
-          << "c=" << args["c"]
+          << "c=" << encodeForURL(args["c"])
           << "&ppnum=" << phrase 
           << "&pfe=" << first_e 
@@ -391 +391 @@
     textout << outconvert << disp
         << "<br><a href=\"_gwcgi_?"
-        << "c=" << args["c"]
+        << "c=" << encodeForURL(args["c"])
         << "&ppnum=" << phrase 
         << "&pfe=" << first_e 
@@ -453 +453 @@
       textout << outconvert << disp
           << "<br><a href=\"_gwcgi_?"
-          << "c=" << args["c"]
+          << "c=" << encodeForURL(args["c"])
           << "&ppnum=" << phrase 
           << "&pfe=" << first_e 
@@ -465 +465 @@
     textout << outconvert << disp 
         << "<br><a href=\"_gwcgi_?"
-        << "c=" << args["c"]
+        << "c=" << encodeForURL(args["c"])
         << "&ppnum=" << phrase 
         << "&pfe=" << first_e 
@@ -742 +742 @@
       textout << "<tr valign=top><td>" << type << "</td><td>";
       textout << outconvert << disp
-          << "<a href=\"_gwcgi_?c=" << collection;
+          << "<a href=\"_gwcgi_?c=" << encodeForURL(collection);
       textout << "&ppnum=" << phrase << "\">" << text << "</a>"
           << "</td><td>" << tf << "</td><td>" << df << "</td></tr>\n";
@@ -847 +847 @@
           << "\" df=\"" << df;
       if (!prefix.empty()) {
-    textout << "\" prefix=\"" << prefix;
+    text_t prefix_txt; 
+    fromUCArray(prefix, prefix_txt);
+    textout << "\" prefix=\"" << encodeForHTMLAttr(prefix_txt);
       }
       if (!suffix.empty()) {
-    textout << "\" suffix=\"" << suffix;
+    text_t suffix_txt; 
+    fromUCArray(suffix, suffix_txt);
+    textout << "\" suffix=\"" << encodeForHTMLAttr(suffix_txt);
       }
       textout << "\"/>\n";
@@ -856 +860 @@
       textout << outconvert << disp 
           << "<tr valign=top><td align=right><a href=\"_gwcgi_?"
-          << "c=" << collection << "&ppnum=" << phrase << "\">";
+          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">";
       textout << prefix << "</a></td>";
       textout <<outconvert << disp
           << "<td align=center><a href=\"_gwcgi_?"
-          << "c=" << collection << "&ppnum=" << phrase << "\">"
-          << body << "</a></td>"
+          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">"
+          << encodeForHTML(body) << "</a></td>"
           << "<td align=left><a href=\"_gwcgi_?"
-          << "c=" << collection << "&ppnum=" << phrase << "\">";
+          << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">";
       textout << suffix << "</a></td>"
           << "<td>" << tf << "</td><td>" << df << "</td></tr>\n";
@@ -986 +990 @@
       textout << outconvert << disp
           << "<tr valign=top><td><a href=\"_gwcgi_?"
-          << "c=" << collection;
+          << "c=" << encodeForURL(collection);
       textout << "&a=d&d=" << hash << "\">" << title << "</a>"
           << "</td><td>" << freq << "</td></tr>\n"; 
@@ -1057 +1061 @@
 }
 
+void phindaction::fromUCArray(const UCArray &arrin, text_t &txtout) {
+  txtout.clear();
+  if (txtout.capacity() < arrin.size() + 1) {
+    txtout.reserve(arrin.size() + 1);
+  }
+  vector<unsigned char>::const_iterator here = arrin.begin();
+  vector<unsigned char>::const_iterator end = arrin.end();
+  while (here != end) {
+    txtout.push_back(*here); // don't need to cast unsigned char to unsigned short
+    ++here;
+  }
+}
+
+
 void phindaction::output_error (const text_t &message, ostream &textout, 
                 outconvertclass &outconvert,