Show
Ignore:
Timestamp:
17.03.2014 21:36:16 (6 years ago)
Author:
ak19
Message:

Fourth commit for security and safe cgiargs.

Location:
main/trunk/greenstone2/runtime-src/src/recpt
Files:
4 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r28899 r28911  
    606606    histvalue += i; 
    607607    disp.setmacro(histvalue, "query", escquery); 
     608    disp.setmacro(histvalue+"Jssafe", "query", encodeForJavascript(escquery)); 
    608609    format_user_info(cgiargs, userinfo, args, protos, logout); 
    609610     
  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28899 r28911  
    743743      << "<form name=\"QueryForm\" method=\"get\" action=\"_gwcgi_\">\n" 
    744744      << "<input type=\"hidden\" name=\"a\" value=\"q\">\n" 
    745           << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsite_\"\n" 
     745          << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsiteAttrsafe_\"\n" 
    746746      << "<input type=\"hidden\" name=\"e\" value=\"_compressedoptions_\">\n" 
    747747      << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n" 
     
    13901390    decode_cgi_arg (compressedoptions);  
    13911391    if (args["w"] == "utf-8") { // if the encoding was utf-8, then compressed options was utf-8, and we need unicode. 
    1392     // if encoding wasn't utf-8, then compressed opotions may be screwed up, but seems to work for 8 bit encodings? 
     1392    // if encoding wasn't utf-8, then compressed options may be screwed up, but seems to work for 8 bit encodings? 
    13931393      compressedoptions = to_uni(compressedoptions); 
    13941394    } 
  • main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

    r28899 r28911  
    6868      << "<channel>\n" 
    6969      << "  <title>_collectionname_</title>\n" 
    70       << "  <link>_httpdomain__httppageabout_</link>\n" 
     70      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n" 
    7171      << "  <description>_collectionextra_</description>\n" 
    7272      << "  <language>_cgiarglHtmlsafe_</language>\n" 
     
    7979      << "  <title>_collectionname_</title>\n" 
    8080      << "  <url>_iconcollection_</url>\n" 
    81       << "  <link>_httpdomain__httppageabout_</link>\n" 
     81      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n" 
    8282      << "  <description>_collectionextra_</description>\n" 
    8383      << "</image>\n"; 
     
    125125     
    126126    if(!args["hostname"].empty()) { 
    127       disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"])); 
     127      disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]); 
     128      disp.setmacro("httpdomainHtmlsafe", "Global", "http://" + encodeForHTML(args["hostname"])); 
    128129    }  
    129130    else { // we shouldn't have to get here 
    130       disp.setmacro("httpdomain", "Global", "http://localhost:8282"); // the default used in zextra.dm. (Could perhaps default this to localhost too) 
     131      text_t default_domain = "http://localhost:8282"; 
     132      disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too) 
     133      disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain)); 
    131134    } 
    132135  } 
  • main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

    r28899 r28911  
    786786      << "<pre>\n"; 
    787787 
     788  text_t logcontent = file_tail (logfilename, 100, 1500); 
     789 
    788790  // note that we're expecting lines to be no more than 1500 characters on 
    789791  // average - should fix this file_tail() thing sometime 
    790   textout << outconvert << file_tail (logfilename, 100, 1500); 
     792  textout << outconvert << encodeForHTML(logcontent); 
    791793 
    792794  textout << outconvert << disp << "</pre>\n"