From 76cbb205333360ae618c3b8a20faccf747039070 Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Thu, 15 Jan 2009 21:44:39 +0000 Subject: Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them. git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed --- app/acf-util/logon-html.lsp | 2 +- app/acf-util/logon-logout-html.lsp | 2 +- app/acf-util/logon-status-html.lsp | 4 ++-- app/acf-util/password-html.lsp | 2 +- app/acf-util/password-status-html.lsp | 22 +++++++++++----------- app/acf-util/roles-editrole-html.lsp | 12 ++++++------ app/acf-util/roles-html.lsp | 16 ++++++++-------- app/acf-util/roles-viewroles-html.lsp | 18 +++++++++--------- 8 files changed, 39 insertions(+), 39 deletions(-) (limited to 'app/acf-util') diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp index f6137cf..643ab86 100644 --- a/app/acf-util/logon-html.lsp +++ b/app/acf-util/logon-html.lsp @@ -4,7 +4,7 @@ io.write(html.cfe_unpack(form)) --]] %> -

<%= form.label %>

+

<%= html.html_escape(form.label) %>

<% form.value.password.type = "password" form.value.redir.type = "hidden" diff --git a/app/acf-util/logon-logout-html.lsp b/app/acf-util/logon-logout-html.lsp index a658ea9..b7b72f4 100644 --- a/app/acf-util/logon-logout-html.lsp +++ b/app/acf-util/logon-logout-html.lsp @@ -3,4 +3,4 @@ <%= html.cfe_unpack(view) %> -<%= view.logout.value %> +<%= html.html_escape(view.logout.value) %> diff --git a/app/acf-util/logon-status-html.lsp b/app/acf-util/logon-status-html.lsp index 5fb70c9..753248f 100644 --- a/app/acf-util/logon-status-html.lsp +++ b/app/acf-util/logon-status-html.lsp @@ -4,5 +4,5 @@ --]] %>

User Status

Below is your current Session id

-<%= view.value.sessionid.value %> -

You are currently known to the system as <%= view.value.username.value %>.

+<%= html.html_escape(view.value.sessionid.value) %> +

You are currently known to the system as <%= html.html_escape(view.value.username.value) %>.

diff --git a/app/acf-util/password-html.lsp b/app/acf-util/password-html.lsp index faf8e44..7de8f88 100755 --- a/app/acf-util/password-html.lsp +++ b/app/acf-util/password-html.lsp @@ -9,7 +9,7 @@ io.write("") --]] %> -

<%= form.label %>

+

<%= html.html_escape(form.label) %>

<% if form.value.password and form.value.password_confirm then form.value.password.type = "password" diff --git a/app/acf-util/password-status-html.lsp b/app/acf-util/password-status-html.lsp index d7db4e9..714dfae 100755 --- a/app/acf-util/password-status-html.lsp +++ b/app/acf-util/password-status-html.lsp @@ -13,29 +13,29 @@ io.write("")

User Accounts

Create new account

- +

Existing account

<% for name,user in pairs(form.value) do %> -
<%= name %>
+
<%= html.html_escape(name) %>
- - + + - - + + - - + +
<%= user.value.userid.label %><%= user.value.userid.value %><%= html.html_escape(user.value.userid.label) %><%= html.html_escape(user.value.userid.value) %>
<%= user.value.username.label %><%= user.value.username.value %><%= html.html_escape(user.value.username.label) %><%= html.html_escape(user.value.username.value) %>
<%= user.value.roles.label %><%= table.concat(user.value.roles.value, " / ") %><%= html.html_escape(user.value.roles.label) %><%= html.html_escape(table.concat(user.value.roles.value, " / ")) %>
Option - [Edit this account] - [Delete this account] - [View roles for this account] + [Edit this account] + [Delete this account] + [View roles for this account]
diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp index 1997a97..f243ecb 100644 --- a/app/acf-util/roles-editrole-html.lsp +++ b/app/acf-util/roles-editrole-html.lsp @@ -5,7 +5,7 @@ io.write(html.cfe_unpack(form)) --]] %> -

<%= form.label %>

+

<%= html.html_escape(form.label) %>

<% displayformstart(form, page_info) -- If editing existing role, disable role @@ -23,7 +23,7 @@ myitem.class = "error" io.write(' class="error"') end - io.write(">" .. myitem.label .. "\n") + io.write(">" .. html.html_escape(myitem.label) .. "\n") io.write("
") -- FIXME multiple select doesn't work in haserl, so use series of checkboxes myitem.class = nil @@ -44,7 +44,7 @@ myitem.checked = reverseval[val] if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end myitem.name = tempname .. "." .. x - io.write(html.form.checkbox(myitem) .. val .. "
\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "
\n") end -- Check for values not in options if myitem.errtxt then @@ -55,7 +55,7 @@ if not reverseopt[val] then myitem.value = val myitem.checked = true - io.write(html.form.checkbox(myitem) .. val .. "
\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "
\n") end end if myitem.errtxt then @@ -64,8 +64,8 @@ myitem.name = tempname myitem.value = tempval - if myitem.descr then io.write('

' .. string.gsub(myitem.descr, "\n", "
") .. "

\n") end - if myitem.errtxt then io.write('

' .. string.gsub(myitem.errtxt, "\n", "
") .. "

\n") end + if myitem.descr then io.write('

' .. string.gsub(html.html_escape(myitem.descr), "\n", "
") .. "

\n") end + if myitem.errtxt then io.write('

' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "
") .. "

\n") end io.write("
\n") io.write("
\n") diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp index 16e4747..d61e60a 100644 --- a/app/acf-util/roles-html.lsp +++ b/app/acf-util/roles-html.lsp @@ -5,17 +5,17 @@ <% ---[[ %> <% if view.value.userid then %> -

Roles/Permission list for <%= view.value.userid.value %>:

+

Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:

<% elseif view.value.role then %> -

Permission list for <%= view.value.role.value %>:

+

Permission list for <%= html.html_escape(view.value.role.value) %>:

<% else %>

Complete permission list:

<% end %> <% if view.value.roles then %> -

<%= view.value.userid.value %> is valid in these roles

+

<%= html.html_escape(view.value.userid.value) %> is valid in these roles

<% for a,b in pairs(view.value.roles.value) do - print("
  • ",b,"
    • ") + print("
  • ",html.html_escape(b),"
    • ") end %> <% end %> <% --]] %> @@ -23,9 +23,9 @@ <% ---[[ %> <% if view.value.permissions then %> <% if view.value.userid then %> -

    <%= view.value.userid.value %>'s full permissions are

    +

    <%= html.html_escape(view.value.userid.value) %>'s full permissions are

    <% elseif view.value.role then %> -

    <%= view.value.role.value %>'s full permissions are

    +

    <%= html.html_escape(view.value.role.value) %>'s full permissions are

    <% end %> <% local controllers = {} -- It's nice to have it in alphabetical order @@ -36,7 +36,7 @@ io.write("") io.write("") for x,cont in ipairs(controllers) do - print("") end diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp index 0334499..46fdfc2 100644 --- a/app/acf-util/roles-viewroles-html.lsp +++ b/app/acf-util/roles-viewroles-html.lsp @@ -9,8 +9,8 @@

    Roles

    Create new role

    - - + +
    @@ -18,10 +18,10 @@ <% if view.value.default_roles then %>
    <% for x,role in pairs(view.value.default_roles.value) do %> -
    <%= role %>
    +
    <%= html.html_escape(role) %>
    - [View this role] - [Edit this role] + [View this role] + [Edit this role]
    <% end %>
    @@ -30,11 +30,11 @@
    <% table.sort(view.value.defined_roles.value) %> <% for x,role in pairs(view.value.defined_roles.value) do %> -
    <%= role %>
    +
    <%= html.html_escape(role) %>
    - [View this role] - [Edit this role] - [Delete this role] + [View this role] + [Edit this role] + [Delete this role]
    <% end %>
    -- cgit v1.2.3
    ControllerAction(s)
    ",cont,"") + print("
    ",html.html_escape(cont),"") -- Again, alphabetical order local actions = {} for act in pairs(view.value.permissions.value[cont]) do @@ -44,7 +44,7 @@ end table.sort(actions) for y,act in pairs(actions) do - print(act) + print(html.html_escape(act)) end io.write("