diff options
Diffstat (limited to 'app/acf-util')
| -rw-r--r-- | app/acf-util/logon-html.lsp | 2 | ||||
| -rw-r--r-- | app/acf-util/logon-logout-html.lsp | 2 | ||||
| -rw-r--r-- | app/acf-util/logon-status-html.lsp | 4 | ||||
| -rwxr-xr-x | app/acf-util/password-html.lsp | 2 | ||||
| -rwxr-xr-x | app/acf-util/password-status-html.lsp | 22 | ||||
| -rw-r--r-- | app/acf-util/roles-editrole-html.lsp | 12 | ||||
| -rw-r--r-- | app/acf-util/roles-html.lsp | 16 | ||||
| -rw-r--r-- | app/acf-util/roles-viewroles-html.lsp | 18 |
8 files changed, 39 insertions, 39 deletions
diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp index f6137cf..643ab86 100644 --- a/app/acf-util/logon-html.lsp +++ b/app/acf-util/logon-html.lsp @@ -4,7 +4,7 @@ io.write(html.cfe_unpack(form)) --]] %> -<h1><%= form.label %></h1> +<h1><%= html.html_escape(form.label) %></h1> <% form.value.password.type = "password" form.value.redir.type = "hidden" diff --git a/app/acf-util/logon-logout-html.lsp b/app/acf-util/logon-logout-html.lsp index a658ea9..b7b72f4 100644 --- a/app/acf-util/logon-logout-html.lsp +++ b/app/acf-util/logon-logout-html.lsp @@ -3,4 +3,4 @@ <%= html.cfe_unpack(view) %> -<%= view.logout.value %> +<%= html.html_escape(view.logout.value) %> diff --git a/app/acf-util/logon-status-html.lsp b/app/acf-util/logon-status-html.lsp index 5fb70c9..753248f 100644 --- a/app/acf-util/logon-status-html.lsp +++ b/app/acf-util/logon-status-html.lsp @@ -4,5 +4,5 @@ --]] %> <h1>User Status </h1> <p> Below is your current Session id <p> -<%= view.value.sessionid.value %> -<p>You are currently known to the system as <%= view.value.username.value %>.</p> +<%= html.html_escape(view.value.sessionid.value) %> +<p>You are currently known to the system as <%= html.html_escape(view.value.username.value) %>.</p> diff --git a/app/acf-util/password-html.lsp b/app/acf-util/password-html.lsp index faf8e44..7de8f88 100755 --- a/app/acf-util/password-html.lsp +++ b/app/acf-util/password-html.lsp @@ -9,7 +9,7 @@ io.write("</span>") --]] %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% if form.value.password and form.value.password_confirm then form.value.password.type = "password" diff --git a/app/acf-util/password-status-html.lsp b/app/acf-util/password-status-html.lsp index d7db4e9..714dfae 100755 --- a/app/acf-util/password-status-html.lsp +++ b/app/acf-util/password-status-html.lsp @@ -13,29 +13,29 @@ io.write("</span>") <H1>User Accounts</H1> <H2>Create new account</H2> <form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newuser" method="POST"> -<input class="hidden" type="hidden" name="redir" value="<%= page_info.orig_action %>" > +<input class="hidden" type="hidden" name="redir" value="<%= html.html_escape(page_info.orig_action) %>" > <dl><dt></dt><dd><input class="submit" type="submit" value="New User"></dd></dl> </form> <H2>Existing account</H2> <DL> <% for name,user in pairs(form.value) do %> - <DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= name %></DT> + <DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= html.html_escape(name) %></DT> <DD><TABLE> <TR> - <TD STYLE='border:none;'><B><%= user.value.userid.label %></B></TD> - <TD STYLE='border:none;' WIDTH='90%'><%= user.value.userid.value %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.userid.label) %></B></TD> + <TD STYLE='border:none;' WIDTH='90%'><%= html.html_escape(user.value.userid.value) %></TD> </TR><TR> - <TD STYLE='border:none;'><B><%= user.value.username.label %></B></TD> - <TD STYLE='border:none;'><%= user.value.username.value %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.username.label) %></B></TD> + <TD STYLE='border:none;'><%= html.html_escape(user.value.username.value) %></TD> </TR><TR> - <TD STYLE='border:none;'><B><%= user.value.roles.label %></B></TD> - <TD STYLE='border:none;'><%= table.concat(user.value.roles.value, " / ") %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.roles.label) %></B></TD> + <TD STYLE='border:none;'><%= html.html_escape(table.concat(user.value.roles.value, " / ")) %></TD> </TR><TR> <TD STYLE='border:none;'><B>Option</B></TD> <TD STYLE='border:none;'> - [<A HREF='edituser?userid=<%= name %>&redir=<%= page_info.orig_action %>'>Edit this account</A>] - [<A HREF='deleteuser?userid=<%= name %>'>Delete this account</A>] - [<A HREF='<%= page_info.script %>/acf-util/roles/viewuserroles?userid=<%= name %>'>View roles for this account</A>] + [<A HREF='edituser?userid=<%= html.html_escape(name) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this account</A>] + [<A HREF='deleteuser?userid=<%= html.html_escape(name) %>'>Delete this account</A>] + [<A HREF='<%= html.html_escape(page_info.script) %>/acf-util/roles/viewuserroles?userid=<%= html.html_escape(name) %>'>View roles for this account</A>] </TD> </TR> </TABLE></DD> diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp index 1997a97..f243ecb 100644 --- a/app/acf-util/roles-editrole-html.lsp +++ b/app/acf-util/roles-editrole-html.lsp @@ -5,7 +5,7 @@ io.write(html.cfe_unpack(form)) --]] %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% displayformstart(form, page_info) -- If editing existing role, disable role @@ -23,7 +23,7 @@ myitem.class = "error" io.write(' class="error"') end - io.write(">" .. myitem.label .. "</DT>\n") + io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n") io.write("<DD>") -- FIXME multiple select doesn't work in haserl, so use series of checkboxes myitem.class = nil @@ -44,7 +44,7 @@ myitem.checked = reverseval[val] if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end myitem.name = tempname .. "." .. x - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end -- Check for values not in options if myitem.errtxt then @@ -55,7 +55,7 @@ if not reverseopt[val] then myitem.value = val myitem.checked = true - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end end if myitem.errtxt then @@ -64,8 +64,8 @@ myitem.name = tempname myitem.value = tempval - if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end - if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end + if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end + if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end io.write("</DD>\n") io.write("</DL>\n") diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp index 16e4747..d61e60a 100644 --- a/app/acf-util/roles-html.lsp +++ b/app/acf-util/roles-html.lsp @@ -5,17 +5,17 @@ <% ---[[ %> <% if view.value.userid then %> - <H1>Roles/Permission list for <%= view.value.userid.value %>:</H1> + <H1>Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:</H1> <% elseif view.value.role then %> - <H1>Permission list for <%= view.value.role.value %>:</H1> + <H1>Permission list for <%= html.html_escape(view.value.role.value) %>:</H1> <% else %> <H1>Complete permission list:</H1> <% end %> <% if view.value.roles then %> - <H2><%= view.value.userid.value %> is valid in these roles</H2> + <H2><%= html.html_escape(view.value.userid.value) %> is valid in these roles</H2> <% for a,b in pairs(view.value.roles.value) do - print("<li>",b,"</li>") + print("<li>",html.html_escape(b),"</li>") end %> <% end %> <% --]] %> @@ -23,9 +23,9 @@ <% ---[[ %> <% if view.value.permissions then %> <% if view.value.userid then %> - <H2><%= view.value.userid.value %>'s full permissions are</H2> + <H2><%= html.html_escape(view.value.userid.value) %>'s full permissions are</H2> <% elseif view.value.role then %> - <H2><%= view.value.role.value %>'s full permissions are</H2> + <H2><%= html.html_escape(view.value.role.value) %>'s full permissions are</H2> <% end %> <% local controllers = {} -- It's nice to have it in alphabetical order @@ -36,7 +36,7 @@ io.write("<TABLE>") io.write("<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD>") for x,cont in ipairs(controllers) do - print("<TR><TD STYLE='font-weight:bold;'>",cont,"</TD><TD>") + print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(cont),"</TD><TD>") -- Again, alphabetical order local actions = {} for act in pairs(view.value.permissions.value[cont]) do @@ -44,7 +44,7 @@ end table.sort(actions) for y,act in pairs(actions) do - print(act) + print(html.html_escape(act)) end io.write("<TD></TR>") end diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp index 0334499..46fdfc2 100644 --- a/app/acf-util/roles-viewroles-html.lsp +++ b/app/acf-util/roles-viewroles-html.lsp @@ -9,8 +9,8 @@ <H1>Roles</H1> <H2>Create new role</H2> -<form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newrole" method="POST"> -<input class="hidden" type="hidden" name="redir" value="<%= page_info.orig_action %>" > +<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller) %>/newrole" method="POST"> +<input class="hidden" type="hidden" name="redir" value="<%= html.html_escape(page_info.orig_action) %>" > <dl><dt></dt><dd><input class="submit" type="submit" value="New Role"></dd></dl> </form> @@ -18,10 +18,10 @@ <% if view.value.default_roles then %> <dl> <% for x,role in pairs(view.value.default_roles.value) do %> - <dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= html.html_escape(role) %></dt> <dd> - [<a href='viewroleperms?role=<%= role %>'>View this role</a>] - [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] + [<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>] + [<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>] </dd> <% end %> </dl> @@ -30,11 +30,11 @@ <dl> <% table.sort(view.value.defined_roles.value) %> <% for x,role in pairs(view.value.defined_roles.value) do %> - <dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= html.html_escape(role) %></dt> <dd> - [<a href='viewroleperms?role=<%= role %>'>View this role</a>] - [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] - [<a href='deleterole?role=<%= role %>'>Delete this role</a>] + [<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>] + [<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>] + [<a href='deleterole?role=<%= html.html_escape(role) %>'>Delete this role</a>] </dd> <% end %> </dl> |