Changeset 28911

Show
Ignore:
Timestamp:
17.03.2014 21:36:16 (6 years ago)
Author:
ak19
Message:

Fourth commit for security and safe cgiargs.

Location:
main/trunk/greenstone2
Files:
6 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/macros/query.dm

    r28898 r28911  
    111111_historypagescriptextra_{ 
    112112 
    113 var histvalue0='_histvalue0_'; 
    114 var histvalue1='_histvalue1_'; 
    115 var histvalue2='_histvalue2_'; 
    116 var histvalue3='_histvalue3_'; 
    117 var histvalue4='_histvalue4_'; 
    118 var histvalue5='_histvalue5_'; 
    119 var histvalue6='_histvalue6_'; 
    120 var histvalue7='_histvalue7_'; 
    121 var histvalue8='_histvalue8_'; 
    122 var histvalue9='_histvalue9_'; 
    123 var histvalue10='_histvalue10_'; 
    124 var histvalue11='_histvalue11_'; 
    125 var histvalue12='_histvalue12_'; 
    126 var histvalue13='_histvalue13_'; 
    127 var histvalue14='_histvalue14_'; 
    128 var histvalue15='_histvalue15_'; 
    129 var histvalue16='_histvalue16_'; 
    130 var histvalue17='_histvalue17_'; 
    131 var histvalue18='_histvalue18_'; 
    132 var histvalue19='_histvalue19_'; 
     113var histvalue0='_histvalue0Jssafe_'; 
     114var histvalue1='_histvalue1Jssafe_'; 
     115var histvalue2='_histvalue2Jssafe_'; 
     116var histvalue3='_histvalue3Jssafe_'; 
     117var histvalue4='_histvalue4Jssafe_'; 
     118var histvalue5='_histvalue5Jssafe_'; 
     119var histvalue6='_histvalue6Jssafe_'; 
     120var histvalue7='_histvalue7Jssafe_'; 
     121var histvalue8='_histvalue8Jssafe_'; 
     122var histvalue9='_histvalue9Jssafe_'; 
     123var histvalue10='_histvalue10Jssafe_'; 
     124var histvalue11='_histvalue11Jssafe_'; 
     125var histvalue12='_histvalue12Jssafe_'; 
     126var histvalue13='_histvalue13Jssafe_'; 
     127var histvalue14='_histvalue14Jssafe_'; 
     128var histvalue15='_histvalue15Jssafe_'; 
     129var histvalue16='_histvalue16Jssafe_'; 
     130var histvalue17='_histvalue17Jssafe_'; 
     131var histvalue18='_histvalue18Jssafe_'; 
     132var histvalue19='_histvalue19Jssafe_'; 
    133133 
    134134function inputQuery(value) \{ 
  • main/trunk/greenstone2/perllib/plugouts/BasePlugout.pm

    r28804 r28911  
    918918        my $rss_entry = "<item>\n"; 
    919919        $rss_entry   .= "   <title>$dc_title</title>\n"; 
    920     $rss_entry   .= "   <link>_httpdomain__httpcollection_/document/$oid</link>\n"; 
     920    $rss_entry   .= "   <link>_httpdomainHtmlsafe__httpcollection_/document/$oid</link>\n"; 
    921921    $rss_entry   .= "</item>"; 
    922922 
  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r28899 r28911  
    606606    histvalue += i; 
    607607    disp.setmacro(histvalue, "query", escquery); 
     608    disp.setmacro(histvalue+"Jssafe", "query", encodeForJavascript(escquery)); 
    608609    format_user_info(cgiargs, userinfo, args, protos, logout); 
    609610     
  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28899 r28911  
    743743      << "<form name=\"QueryForm\" method=\"get\" action=\"_gwcgi_\">\n" 
    744744      << "<input type=\"hidden\" name=\"a\" value=\"q\">\n" 
    745           << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsite_\"\n" 
     745          << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsiteAttrsafe_\"\n" 
    746746      << "<input type=\"hidden\" name=\"e\" value=\"_compressedoptions_\">\n" 
    747747      << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n" 
     
    13901390    decode_cgi_arg (compressedoptions);  
    13911391    if (args["w"] == "utf-8") { // if the encoding was utf-8, then compressed options was utf-8, and we need unicode. 
    1392     // if encoding wasn't utf-8, then compressed opotions may be screwed up, but seems to work for 8 bit encodings? 
     1392    // if encoding wasn't utf-8, then compressed options may be screwed up, but seems to work for 8 bit encodings? 
    13931393      compressedoptions = to_uni(compressedoptions); 
    13941394    } 
  • main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

    r28899 r28911  
    6868      << "<channel>\n" 
    6969      << "  <title>_collectionname_</title>\n" 
    70       << "  <link>_httpdomain__httppageabout_</link>\n" 
     70      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n" 
    7171      << "  <description>_collectionextra_</description>\n" 
    7272      << "  <language>_cgiarglHtmlsafe_</language>\n" 
     
    7979      << "  <title>_collectionname_</title>\n" 
    8080      << "  <url>_iconcollection_</url>\n" 
    81       << "  <link>_httpdomain__httppageabout_</link>\n" 
     81      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n" 
    8282      << "  <description>_collectionextra_</description>\n" 
    8383      << "</image>\n"; 
     
    125125     
    126126    if(!args["hostname"].empty()) { 
    127       disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"])); 
     127      disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]); 
     128      disp.setmacro("httpdomainHtmlsafe", "Global", "http://" + encodeForHTML(args["hostname"])); 
    128129    }  
    129130    else { // we shouldn't have to get here 
    130       disp.setmacro("httpdomain", "Global", "http://localhost:8282"); // the default used in zextra.dm. (Could perhaps default this to localhost too) 
     131      text_t default_domain = "http://localhost:8282"; 
     132      disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too) 
     133      disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain)); 
    131134    } 
    132135  } 
  • main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

    r28899 r28911  
    786786      << "<pre>\n"; 
    787787 
     788  text_t logcontent = file_tail (logfilename, 100, 1500); 
     789 
    788790  // note that we're expecting lines to be no more than 1500 characters on 
    789791  // average - should fix this file_tail() thing sometime 
    790   textout << outconvert << file_tail (logfilename, 100, 1500); 
     792  textout << outconvert << encodeForHTML(logcontent); 
    791793 
    792794  textout << outconvert << disp << "</pre>\n"