- Timestamp:
- 2014-03-14T22:46:25+13:00 (10 years ago)
- Location:
- main/trunk/greenstone2/runtime-src/src/recpt
- Files:
-
- 19 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone2/runtime-src/src/recpt/authenaction.cpp
r22984 r28899 308 308 // _authen:hiddenargs_ to contain all the arguments that were 309 309 // explicitly set 310 disp.setmacro ("messagestatus", "authen", ("_authen:message" + args["us"]310 disp.setmacro ("messagestatus", "authen", ("_authen:message" + encodeForHTML(args["us"]) 311 311 + "_")); 312 312 // change style of header and footer if page is a frame … … 339 339 saveconfset.find((*args_here).first) == saveconfset.end()) { 340 340 hiddenargs += "<input type=hidden name=\"" + (*args_here).first + 341 "\" value=\"_cgiarg" + (*args_here).first + " _\">\n";341 "\" value=\"_cgiarg" + (*args_here).first + "Attrsafe_\">\n"; 342 342 } 343 343 ++args_here; -
main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp
r28888 r28899 796 796 textout << outconvert << disp 797 797 << "Location: _gwcgi_?e=_compressedoptions_&a=d&c=" 798 << collection << "&cl=search&d=" << (*section).OID798 << encodeForURL(collection) << "&cl=search&d=" << (*section).OID 799 799 << "&srn=" << srn << "&srp=" << srp << "\n\n"; 800 800 textout << flush; -
main/trunk/greenstone2/runtime-src/src/recpt/depositoraction.cpp
r23029 r28899 707 707 if ((depositor_page == "select") || (stepstring == "step")) { 708 708 textout << outconvert << disp << ("_depositor:header_\n") 709 << ("_depositor:" + depositor_page+ "content_\n")709 << ("_depositor:" + encodeForHTML(depositor_page) + "content_\n") 710 710 << ("_depositor:footer_\n"); 711 711 … … 771 771 // output page ("bild" page was already output above) 772 772 textout << outconvert << disp << ("_depositor:header_\n") 773 << ("_depositor:" + depositor_page+ "content_\n")773 << ("_depositor:" + encodeForHTML(depositor_page) + "content_\n") 774 774 << ("_depositor:footer_\n"); 775 775 } -
main/trunk/greenstone2/runtime-src/src/recpt/documentaction.cpp
r27363 r28899 607 607 outlink = "_httpdocument_&d=" + response.docInfo[0].metadata["section"].values[0]; 608 608 #else 609 outlink = "_httpdocumenthandle_("+ args["c"]+","+response.docInfo[0].metadata["section"].values[0]+")";609 outlink = "_httpdocumenthandle_("+encodeForURL(args["c"])+","+response.docInfo[0].metadata["section"].values[0]+")"; 610 610 #endif 611 611 … … 1066 1066 #ifndef DOCHANDLE 1067 1067 << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d=" 1068 << args["d"]<< "\">"1068 << encodeForURL(args["d"]) << "\">" 1069 1069 #else 1070 1070 << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_(" 1071 << args["c"] << "," << args["d"]<< ")\">"1071 << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 1072 1072 #endif 1073 1073 << "<noframes>\n" … … 1143 1143 #ifndef DOCHANDLE 1144 1144 << "<frame name=\"documenttop\" frameborder=0 src=\"_gwcgi_?_optsite_e=_compressedoptions_&a=d&d=" 1145 << args["d"]<< "\">"1145 << encodeForURL(args["d"]) << "\">" 1146 1146 #else 1147 1147 << "<frame name=\"documenttop\" frameborder=0 src=\"_httpdocumenthandle_(" 1148 << args["c"] << "," << args["d"]<< ")\">"1148 << encodeForURL(args["c"]) << "," << encodeForURL(args["d"]) << ")\">" 1149 1149 #endif 1150 1150 << "<noframes>\n" … … 1462 1462 logout << text_t2ascii 1463 1463 << "documentaction::output_document: call to QueryFilter failed " 1464 1464 << "for " << args["c"] << " collection (" << get_comerror_string (err) << ")\n"; 1465 1465 highlight = false; 1466 1466 } … … 1645 1645 if (haschildren) { 1646 1646 #ifndef DOCHANLE 1647 disp.setmacro ("httpnextarrow", "document", "_httpdocument_&cl=" + args["cl"]+1648 "&d=" + arg_d+ ".fc");1647 disp.setmacro ("httpnextarrow", "document", "_httpdocument_&cl=" + encodeForURL(args["cl"]) + 1648 "&d=" + encodeForURL(arg_d) + ".fc"); 1649 1649 #else 1650 disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+ args["c"]+","+arg_d+ ".fc)";1650 disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+encodeForURL(arg_d) + ".fc)"; 1651 1651 1652 1652 #endif … … 1658 1658 if (!(*h).empty()) { 1659 1659 #ifndef DOCHANLE 1660 disp.setmacro ("httpnextarrow", "document", "_httpdocument_&cl=" + args["cl"]+1660 disp.setmacro ("httpnextarrow", "document", "_httpdocument_&cl=" + encodeForURL(args["cl"]) + 1661 1661 "&d=" + *h); 1662 1662 #else 1663 disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+ args["c"]+","+*h+")";1663 disp.setmacro ("httpnextarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+*h+")"; 1664 1664 1665 1665 #endif … … 1674 1674 if (!previous_sibling.empty()) { 1675 1675 #ifndef DOCHANDLE 1676 disp.setmacro ("httpprevarrow", "document", "_httpdocument_&cl=" + args["cl"]+1676 disp.setmacro ("httpprevarrow", "document", "_httpdocument_&cl=" + encodeForURL(args["cl"]) + 1677 1677 "&d=" + previous_sibling); 1678 1678 #else 1679 disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+ args["c"]+","+ previous_sibling+")");1679 disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+ previous_sibling+")"); 1680 1680 1681 1681 #endif … … 1684 1684 if (countchar(arg_d.begin(), arg_d.end(), '.')) { 1685 1685 #ifndef DOCHANDLE 1686 disp.setmacro ("httpprevarrow", "document", "_httpdocument_&cl=" + args["cl"]+1686 disp.setmacro ("httpprevarrow", "document", "_httpdocument_&cl=" + encodeForURL(args["cl"]) + 1687 1687 "&d=" + get_parent(arg_d)); 1688 1688 #else 1689 disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+ args["c"]+","+get_parent(arg_d)+")");1689 disp.setmacro ("httpprevarrow", "document", "_httpdocumenthandle_("+encodeForURL(args["c"])+","+get_parent(arg_d)+")"); 1690 1690 1691 1691 #endif -
main/trunk/greenstone2/runtime-src/src/recpt/dynamicclassifieraction.cpp
r22984 r28899 151 151 if (cinfo->dynamic_classifiers.find(arg_dcl) == cinfo->dynamic_classifiers.end()) 152 152 { 153 textout << outconvert << disp << "Error: Invalid dcl value \"" << arg_dcl<< "\".\n";153 textout << outconvert << disp << "Error: Invalid dcl value \"" << encodeForHTML(arg_dcl) << "\".\n"; 154 154 textout << outconvert << disp << "_dynamicclassifier:footer_\n"; 155 155 return true; -
main/trunk/greenstone2/runtime-src/src/recpt/gtiaction.cpp
r22984 r28899 386 386 languageinfo_tmap loaded_languages = recpt->get_configinfo().languages; 387 387 disp.setmacro("gtitargetlanguagename", "gti", loaded_languages[target_language_code].longname); 388 disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key+ "_");388 disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 389 389 390 390 if (query_string == "") { … … 496 496 disp.setmacro("gtitargetfilepath", "gti", gti_response.translation_files_key_to_target_file_path_mapping[translation_file_key]); 497 497 } 498 disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + translation_file_key+ "_");499 disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + translation_file_key+ "inaction_");498 disp.setmacro("gtitranslationfiledesc", "gti", "_gti:textgti" + encodeForHTML(translation_file_key) + "_"); 499 disp.setmacro("gtiviewtranslationfileinaction", "gti", "_gti:gtiview" + encodeForHTML(translation_file_key) + "inaction_"); 500 500 501 501 disp.setmacro("gtinumchunkstranslated", "gti", gti_response.translation_files_key_to_num_chunks_translated_mapping[translation_file_key]); … … 660 660 do_gti_request(gti_arguments, logout); 661 661 662 disp.setmacro("gtiglihelpzipfilepath", "gti", target_language_code+ "_GLIHelp.zip");662 disp.setmacro("gtiglihelpzipfilepath", "gti", encodeForURL(target_language_code) + "_GLIHelp.zip"); 663 663 664 664 return true; -
main/trunk/greenstone2/runtime-src/src/recpt/pageaction.cpp
r28888 r28899 212 212 213 213 text_t link = "_gwcgi_?"+optsite+"a=p&p=about&c=" + *collist_here; 214 link += "&l=" + args["l"] + "&w=" + args["w"];214 link += "&l=" + encodeForURL(args["l"]) + "&w=" + encodeForURL(args["w"]); 215 215 216 216 // We are "dynamically" overriding so to speak the … … 335 335 if (cinfo->isCollectGroup) { 336 336 link = "<a class=\"collectiontitle\" href=\"_gwcgi_?"+optsite+"a=p&p=home&g=" + *collist_here; 337 link += "&l=" + args["l"] + "&w=" + args["w"]+ "\">";337 link += "&l=" + encodeForURL(args["l"]) + "&w=" + encodeForURL(args["w"]) + "\">"; 338 338 } 339 339 else { 340 340 link = "<a class=\"collectiontitle\" href=\"_gwcgi_?"+optsite+"a=p&p=about&c=" + *collist_here; 341 link += "&l=" + args["l"] + "&w=" + args["w"]+ "\">";341 link += "&l=" + encodeForURL(args["l"]) + "&w=" + encodeForURL(args["w"]) + "\">"; 342 342 } 343 343 … … 515 515 516 516 void pageaction::set_macro_to_file_contents (displayclass &disp, const text_t ¯oname, 517 const text_t &packagename, const text_t &filename ) {517 const text_t &packagename, const text_t &filename, bool encode) { 518 518 519 519 text_t filecontent; … … 531 531 file_in.close(); 532 532 } 533 534 // if we ever need to encode the contents into HTML, call this function with encode=true 535 if(encode) { 536 filecontent = encodeForHTML(filecontent); 537 } 538 533 539 disp.setmacro (macroname, packagename, dm_safe(filecontent)); 534 540 } -
main/trunk/greenstone2/runtime-src/src/recpt/pageaction.h
r11998 r28899 85 85 86 86 void set_macro_to_file_contents (displayclass &disp, const text_t ¯oname, 87 const text_t &packagename, const text_t &filename );87 const text_t &packagename, const text_t &filename, bool encode=false); 88 88 89 89 void set_language_encoding_macros(displayclass &disp, cgiargsclass &args, -
main/trunk/greenstone2/runtime-src/src/recpt/phindaction.cpp
r22984 r28899 152 152 153 153 unsigned long count_l, count_e, count_d; 154 unsigned long phrase = args["ppnum"].getulong(); 154 unsigned long phrase = args["ppnum"].getulong(); // needn't encodeFor<web> on vars which have getulong() applied 155 155 text_t &word = args["pptext"]; 156 156 unsigned long first_e = args["pfe"].getulong(); … … 208 208 209 209 if (result.empty()) { 210 output_error("phindaction: The search term ("+ word+") does not occur in the collection",210 output_error("phindaction: The search term ("+encodeForHTML(word)+") does not occur in the collection", 211 211 textout, outconvert, disp, logout, XMLmode); 212 212 return true; … … 255 255 if (XMLmode) { 256 256 textout << "<phinddata id=\"" << phrase 257 << "\" text=\"" << word257 << "\" text=\"" << encodeForHTMLAttr(word) 258 258 << "\" tf=\"" << tf 259 259 << "\" ef=\"" << ef … … 262 262 << "\">\n"; 263 263 } else { 264 textout << "<html><head><title>" << word<< "</title></head>\n"264 textout << "<html><head><title>" << encodeForHTML(word) << "</title></head>\n" 265 265 << "<body><center>\n" 266 << "<p><h1>" << word<< "</h1>\n"267 << "<p><b>"<< word<< "</b> occurs "266 << "<p><h1>" << encodeForHTML(word) << "</h1>\n" 267 << "<p><b>"<< encodeForHTML(word) << "</b> occurs " 268 268 << tf << " times in " << df << " documents\n"; 269 269 } … … 316 316 textout << outconvert << disp 317 317 << "<br><a href=\"_gwcgi_?" 318 << "c=" << args["c"]318 << "c=" << encodeForURL(args["c"]) 319 319 << "&ppnum=" << phrase 320 320 << "&pfe=" << first_e … … 328 328 textout << outconvert << disp 329 329 << "<br><a href=\"_gwcgi_?" 330 << "c=" << args["c"]330 << "c=" << encodeForURL(args["c"]) 331 331 << "&ppnum=" << phrase 332 332 << "&pfe=" << first_e … … 379 379 textout << outconvert << disp 380 380 << "<br><a href=\"_gwcgi_?" 381 << "c=" << args["c"]381 << "c=" << encodeForURL(args["c"]) 382 382 << "&ppnum=" << phrase 383 383 << "&pfe=" << first_e … … 391 391 textout << outconvert << disp 392 392 << "<br><a href=\"_gwcgi_?" 393 << "c=" << args["c"]393 << "c=" << encodeForURL(args["c"]) 394 394 << "&ppnum=" << phrase 395 395 << "&pfe=" << first_e … … 453 453 textout << outconvert << disp 454 454 << "<br><a href=\"_gwcgi_?" 455 << "c=" << args["c"]455 << "c=" << encodeForURL(args["c"]) 456 456 << "&ppnum=" << phrase 457 457 << "&pfe=" << first_e … … 465 465 textout << outconvert << disp 466 466 << "<br><a href=\"_gwcgi_?" 467 << "c=" << args["c"]467 << "c=" << encodeForURL(args["c"]) 468 468 << "&ppnum=" << phrase 469 469 << "&pfe=" << first_e … … 742 742 textout << "<tr valign=top><td>" << type << "</td><td>"; 743 743 textout << outconvert << disp 744 << "<a href=\"_gwcgi_?c=" << collection;744 << "<a href=\"_gwcgi_?c=" << encodeForURL(collection); 745 745 textout << "&ppnum=" << phrase << "\">" << text << "</a>" 746 746 << "</td><td>" << tf << "</td><td>" << df << "</td></tr>\n"; … … 847 847 << "\" df=\"" << df; 848 848 if (!prefix.empty()) { 849 textout << "\" prefix=\"" << prefix; 849 text_t prefix_txt; 850 fromUCArray(prefix, prefix_txt); 851 textout << "\" prefix=\"" << encodeForHTMLAttr(prefix_txt); 850 852 } 851 853 if (!suffix.empty()) { 852 textout << "\" suffix=\"" << suffix; 854 text_t suffix_txt; 855 fromUCArray(suffix, suffix_txt); 856 textout << "\" suffix=\"" << encodeForHTMLAttr(suffix_txt); 853 857 } 854 858 textout << "\"/>\n"; … … 856 860 textout << outconvert << disp 857 861 << "<tr valign=top><td align=right><a href=\"_gwcgi_?" 858 << "c=" << collection<< "&ppnum=" << phrase << "\">";862 << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">"; 859 863 textout << prefix << "</a></td>"; 860 864 textout <<outconvert << disp 861 865 << "<td align=center><a href=\"_gwcgi_?" 862 << "c=" << collection<< "&ppnum=" << phrase << "\">"863 << body<< "</a></td>"866 << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">" 867 << encodeForHTML(body) << "</a></td>" 864 868 << "<td align=left><a href=\"_gwcgi_?" 865 << "c=" << collection<< "&ppnum=" << phrase << "\">";869 << "c=" << encodeForURL(collection) << "&ppnum=" << phrase << "\">"; 866 870 textout << suffix << "</a></td>" 867 871 << "<td>" << tf << "</td><td>" << df << "</td></tr>\n"; … … 986 990 textout << outconvert << disp 987 991 << "<tr valign=top><td><a href=\"_gwcgi_?" 988 << "c=" << collection;992 << "c=" << encodeForURL(collection); 989 993 textout << "&a=d&d=" << hash << "\">" << title << "</a>" 990 994 << "</td><td>" << freq << "</td></tr>\n"; … … 1057 1061 } 1058 1062 1063 void phindaction::fromUCArray(const UCArray &arrin, text_t &txtout) { 1064 txtout.clear(); 1065 if (txtout.capacity() < arrin.size() + 1) { 1066 txtout.reserve(arrin.size() + 1); 1067 } 1068 vector<unsigned char>::const_iterator here = arrin.begin(); 1069 vector<unsigned char>::const_iterator end = arrin.end(); 1070 while (here != end) { 1071 txtout.push_back(*here); // don't need to cast unsigned char to unsigned short 1072 ++here; 1073 } 1074 } 1075 1076 1059 1077 void phindaction::output_error (const text_t &message, ostream &textout, 1060 1078 outconvertclass &outconvert, -
main/trunk/greenstone2/runtime-src/src/recpt/phindaction.h
r7734 r28899 93 93 94 94 void toUCArray(const text_t &in, UCArray &out); 95 void fromUCArray(const UCArray &arrin, text_t &txtout); 95 96 96 97 void output_error (const text_t &message, ostream &textout, -
main/trunk/greenstone2/runtime-src/src/recpt/pingaction.cpp
r25559 r28899 76 76 textout << outconvert << "Ping"; 77 77 } else { 78 textout << outconvert << "Ping for \"" << args["c"]<< "\"";78 textout << outconvert << "Ping for \"" << encodeForHTML(args["c"]) << "\""; 79 79 } 80 80 -
main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp
r28888 r28899 747 747 << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n" 748 748 << "<center><table width=\"_pagewidth_\"><tr valign=\"top\">\n" 749 << "<td>Select collections to search for \"" << args["q"]750 << "\" <i>(index=" << index << " subcollection=" << subcollection751 << " language=" << language<< ")</i></td>\n"749 << "<td>Select collections to search for \"" << encodeForHTML(args["q"]) 750 << "\" <i>(index=" << encodeForHTML(index) << " subcollection=" << encodeForHTML(subcollection) 751 << " language=" << encodeForHTML(language) << ")</i></td>\n" 752 752 << "<td><input type=\"submit\" value=\"_query:textbeginsearch_\"></td>\n" 753 753 << "</tr></table></center>\n" -
main/trunk/greenstone2/runtime-src/src/recpt/receptionist.cpp
r28898 r28899 1533 1533 text_t urlsafe = encodeForURL(macrovalue); 1534 1534 text_t jssafe = encodeForJavascript(macrovalue); // with default setting will return \\x and \\u for macro files 1535 text_t csssafe = encodeForCSS(macrovalue); 1535 text_t csssafe = encodeForCSS(macrovalue); // not yet used anywhere, but is available for use in macros 1536 text_t sqlsafe = encodeForSQL(macrovalue); 1536 1537 1537 1538 disp.setmacro ("cgiarg" + (*argshere).first + "Htmlsafe", displayclass::defaultpackage, htmlsafe); 1538 1539 disp.setmacro ("cgiarg" + (*argshere).first + "Attrsafe", displayclass::defaultpackage, attrsafe); 1540 disp.setmacro ("cgiarg" + (*argshere).first + "Urlsafe", displayclass::defaultpackage, urlsafe); 1539 1541 disp.setmacro ("cgiarg" + (*argshere).first + "Jssafe", displayclass::defaultpackage, jssafe); 1540 1542 disp.setmacro ("cgiarg" + (*argshere).first + "Csssafe", displayclass::defaultpackage, csssafe); 1541 disp.setmacro ("cgiarg" + (*argshere).first + " Urlsafe", displayclass::defaultpackage, urlsafe);1543 disp.setmacro ("cgiarg" + (*argshere).first + "Sqlsafe", displayclass::defaultpackage, sqlsafe); 1542 1544 1543 1545 -
main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp
r27095 r28899 70 70 << " <link>_httpdomain__httppageabout_</link>\n" 71 71 << " <description>_collectionextra_</description>\n" 72 << " <language>_cgiargl _</language>\n"72 << " <language>_cgiarglHtmlsafe_</language>\n" 73 73 << " <pubDate>Thu, 23 Aug 1999 07:00:00 GMT</pubDate>\n" 74 74 << " <lastBuildDate>Thu, 23 Aug 1999 16:20:26 GMT</lastBuildDate>\n" … … 122 122 // If ever adding a custom macro file like rss.dm that mentions the package, need to list rss.dm in etc/main.cfg 123 123 124 if(disp.havemacro("Global", "httpdomain") == 0) { // if using rss package, will check rss and Global packages in order. And if not found:124 if(disp.havemacro("Global", "httpdomain") == 0) { // if using rss package, will check rss and Global packages in order. And if not found: 125 125 126 126 if(!args["hostname"].empty()) { 127 disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]);127 disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"])); 128 128 } 129 129 else { // we shouldn't have to get here -
main/trunk/greenstone2/runtime-src/src/recpt/securitytools.cpp
r28898 r28899 136 136 } 137 137 138 139 text_t encodeForMySQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) { 140 text_t out; 141 text_t::const_iterator here = in.begin(); 142 text_t::const_iterator end = in.end(); 143 while (here != end) { 144 out += encodeForMySQL(immuneChars, *here, mode); // IMMUNE_SQL and STANDARD SQLMode by default 138 text_t encodeForSQL(const text_t& in, const text_t& immuneChars, const SQLMode mode) { 139 text_t out; 140 text_t::const_iterator here = in.begin(); 141 text_t::const_iterator end = in.end(); 142 while (here != end) { 143 out += encodeForSQL(immuneChars, *here, mode); // IMMUNE_SQL and STANDARD SQLMode by default 145 144 ++here; 146 145 } … … 320 319 321 320 /* 321 322 C++ port of OWASP-ESAPI for MySQL. Not sure if this is is the same for SQLite 323 322 324 http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java 323 325 Defense Option 3 of https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet … … 335 337 336 338 */ 337 text_t encodeFor MySQL(const text_t& immuneChars, const unsigned short in, const SQLMode mode) {339 text_t encodeForSQL(const text_t& immuneChars, const unsigned short in, const SQLMode mode) { 338 340 339 341 text_t result = ""; … … 392 394 } 393 395 396 // Unused at present. 394 397 // See Codec.hex[] initialization and Codec.getHexForNonAlphanumeric(c) and Codec.toHex(c) 395 398 // http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/Codec.java -
main/trunk/greenstone2/runtime-src/src/recpt/securitytools.h
r28898 r28899 28 28 text_t encodeForHTMLAttr(const text_t& input, const text_t& immuneChars=IMMUNE_HTMLATTR); 29 29 text_t encodeForCSS(const text_t& input, const text_t& immuneChars=IMMUNE_CSS); 30 text_t encodeForMySQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD); 30 // C++ port of OWASP-ESAPI for MySQL, not sure if this is is the same for SQLite 31 text_t encodeForSQL(const text_t& input, const text_t& immuneChars=IMMUNE_SQL, const SQLMode mode=STANDARD); 31 32 32 33 // Character conversions … … 35 36 text_t encodeForJavascript(const text_t& immuneChars, const unsigned short input, bool dmsafe); 36 37 text_t encodeForCSS(const text_t& immuneChars, const unsigned short input); 37 text_t encodeFor MySQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode);38 text_t encodeForSQL(const text_t& immuneChars, const unsigned short input, const SQLMode mode); 38 39 39 40 -
main/trunk/greenstone2/runtime-src/src/recpt/sqlqueryaction.cpp
r28888 r28899 270 270 if (args["qt"]=="0" && args["sqlqto"] != "1") { // normal text search 271 271 unsafe_cgi_arg("ALL", args["q"]); 272 formattedstring = "SELECT DISTINCT docOID FROM document_metadata WHERE " + args["q"];272 formattedstring = "SELECT DISTINCT docOID FROM document_metadata WHERE " + encodeForSQL(args["q"]); 273 273 } 274 274 else if (args["qt"]=="1" || args["sqlqto"]=="1"){ // form search -
main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp
r22984 r28899 353 353 arg_value = args.getarg (ainfo.shortname); 354 354 if (arg_value == NULL) textout << outconvert << "<td></td></tr>\n"; 355 else textout << outconvert << "<td>\"" << *arg_value<< "\"</td></tr>\n";355 else textout << outconvert << "<td>\"" << encodeForHTML(*arg_value) << "\"</td></tr>\n"; 356 356 357 357 ++argsinfohere; … … 547 547 548 548 if (rprotolist_here == rprotolist_end) { 549 textout << outconvert << "Protocol \"" << arg_pr<< "\" with collection \""550 << arg_c<< "\" was not found\n";549 textout << outconvert << "Protocol \"" << encodeForHTML(arg_pr) << "\" with collection \"" 550 << encodeForHTML(arg_c) << "\" was not found\n"; 551 551 552 552 } else { … … 819 819 text_t errorpage = "<p><pre>\n"; 820 820 821 text_t errorpage_content; 821 822 char c; 822 823 errin.get(c); 823 824 while (!errin.eof ()) { 824 errorpage .push_back(c);825 errorpage_content.push_back(c); 825 826 errin.get(c); 826 827 } 827 828 // need to ensure that error_log displayed from Admin pages is encoded/safe for an HTML context 829 errorpage += encodeForHTML(errorpage_content); 830 828 831 errorpage += "</pre>\n"; 829 832 errin.close(); … … 849 852 text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg"); 850 853 #else 851 text_t llssite_cfg = "llssite.cfg";854 text_t llssite_cfg = filename_cat (gsdlhome, "llssite.cfg"); //"llssite.cfg"; 852 855 #endif 853 856 … … 1138 1141 else { 1139 1142 output_errorpage (outconvert, textout, logout, 1140 "Unknown page \"" + arg_p+ "\".\n");1143 "Unknown page \"" + encodeForHTML(arg_p) + "\".\n"); 1141 1144 } 1142 1145 -
main/trunk/greenstone2/runtime-src/src/recpt/usersaction.cpp
r22984 r28899 235 235 if (user_database->get_user_info(*users_here, userinfo) == ERRNO_SUCCEED) { 236 236 textout << outconvert << disp 237 << "<tr><td bgcolor=\"\\#eeeeee\">" << userinfo.username<< "</td>\n"237 << "<tr><td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.username) << "</td>\n" 238 238 << "<td bgcolor=\"\\#eeeeee\">" << (char *) (userinfo.enabled ? "enabled" : "disabled") << "</td>\n" 239 << "<td bgcolor=\"\\#eeeeee\">" << userinfo.groups<< " </td>\n"240 << "<td bgcolor=\"\\#eeeeee\">" << userinfo.comment<< " </td>\n"239 << "<td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.groups) << " </td>\n" 240 << "<td bgcolor=\"\\#eeeeee\">" << encodeForHTML(userinfo.comment) << " </td>\n" 241 241 << "<td><a href=\"_httpcurrentdocument_&a=um&uma=edituser&umun=" 242 << userinfo.username<< "\">_userslistusers:textedituser_</a> "242 << encodeForHTML(userinfo.username) << "\">_userslistusers:textedituser_</a> " 243 243 << "<a href=\"_httpcurrentdocument_&a=um&uma=deleteuser&umun=" 244 << userinfo.username<< "\">_userslistusers:textdeleteuser_</a>"244 << encodeForHTML(userinfo.username) << "\">_userslistusers:textdeleteuser_</a>" 245 245 << "</td></tr>\n\n"; 246 246
Note:
See TracChangeset
for help on using the changeset viewer.