Ignore:
Timestamp:
2014-03-14T17:13:56+13:00 (10 years ago)
Author:
ak19
Message:
  1. The cgiargq query variable is now no longer escaped in the 3 simply or large forms that use it. fqv and other js escaped fields are unchanged, since the jssafe now ensures that backslashes are escaped for macro files, so these resolve correctly in query.dm. 2. securitytools.cpp and .h updated to additionally escape back slashes for macro files when javascript escaping. This is done by default, since jssafe variants of cgiargs are all that are used, and they're used in macro files. 3. Encoded versions of decodedcompressedoptions are now used in all macro files. They're always used in attributes, so the attrsafe version which is set in receptionist.cpp is used.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.cpp

    r28888 r28898  
    125125}
    126126
    127 text_t encodeForJavascript(const text_t& in, const text_t& immuneChars) {
    128   text_t out;
    129   text_t::const_iterator here = in.begin();
    130   text_t::const_iterator end = in.end();
    131   while (here != end) {
    132     out += encodeForJavascript(immuneChars, *here); // IMMUNE_JAVASCRIPT by default
    133     ++here;
    134   }
    135   return out;
    136 }
     127text_t encodeForJavascript(const text_t& in, const text_t& immuneChars, bool dmsafe) {
     128  text_t out;
     129  text_t::const_iterator here = in.begin();
     130  text_t::const_iterator end = in.end();
     131  while (here != end) {
     132    out += encodeForJavascript(immuneChars, *here, dmsafe); // IMMUNE_JAVASCRIPT by default
     133    ++here;
     134  }
     135  return out;
     136}
     137
    137138
    138139text_t encodeForMySQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) {
     
    259260
    260261// http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java
    261 text_t encodeForJavascript(const text_t& immuneChars, const unsigned short in) {
     262text_t encodeForJavascript(const text_t& immuneChars, const unsigned short in, bool dmsafe) {
    262263 
    263264  text_t result = "";
     
    294295      char hex_char[3];
    295296      sprintf(hex_char,"%02X",in);
    296       result = "\\x" + text_t(hex_char);
     297
     298      if(dmsafe) { // double escape backslashes for macro files
     299    result = "\\\\x" + text_t(hex_char);
     300      } else {
     301    result = "\\x" + text_t(hex_char);
     302      }
    297303    }
    298304    // otherwise encode with \\uHHHH
     
    300306      char hex_char[5];
    301307      sprintf(hex_char,"%04X",in);
    302       result = "\\u" + text_t(hex_char);
     308      if(dmsafe) { // double escape backslashes for macro files
     309    result = "\\\\u" + text_t(hex_char);
     310      } else {
     311    result = "\\u" + text_t(hex_char);     
     312      }
    303313    }
    304314   
Note: See TracChangeset for help on using the changeset viewer.