Ignore:
Timestamp:
2014-03-18T20:22:59+13:00 (10 years ago)
Author:
ak19
Message:

6th commit for security of cgiargs. Looked over all occurrences of setmacro in *action.cpp files

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/src/recpt/extlinkaction.cpp

    r22984 r28913  
    124124  // problem in whist, above line changed.  Perhaps decode_cgi_arg ??
    125125  // see also HTML plugin
    126   disp.setmacro("nexturl", "extlink", args["href"]);
     126
     127  text_t nexturl_macro = args["href"];
     128  if(!isValidURLProtocol(nexturl_macro)) {
     129    nexturl_macro = encodeForURL(nexturl_macro); // URL has invalid protocol like javascript:, so URL encode it
     130  } else {
     131    nexturl_macro = encodeForHTMLAttr(nexturl_macro);
     132  }
     133
     134  disp.setmacro("nexturl", "extlink", nexturl_macro); // goes into a full-url context
    127135  disp.setmacro("prevdoc", "extlink", args["d"]);
    128136}
Note: See TracChangeset for help on using the changeset viewer.