From 76cbb205333360ae618c3b8a20faccf747039070 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 lib/html.lua          | 32 +++++++++++++++++---------------
 lib/viewfunctions.lua | 33 +++++++++++++++++----------------
 2 files changed, 34 insertions(+), 31 deletions(-)

(limited to 'lib')

diff --git a/lib/html.lua b/lib/html.lua
index 96bf4ad..4dac45f 100644
--- a/lib/html.lua
+++ b/lib/html.lua
@@ -22,8 +22,8 @@ cookie.set = function ( name, value, path )
 	if path == nil then
 		path = "/"
 	end
-	return (string.format('Set-Cookie: %s=%s; path=%s; %s\n', tostring(name), 
-		tostring(value), path, expires))
+	return (string.format('Set-Cookie: %s=%s; path=%s; %s\n', html_escape(tostring(name)), 
+		html_escape(tostring(value)), html_escape(path), html_escape(expires)))
 end
 
 
@@ -39,7 +39,9 @@ function html_escape (text )
 	text = text or "" 
 	local str = string.gsub (text, "&", "&amp;" )
 	str = string.gsub (str, "<", "&lt;" )
-	return string.gsub (str, ">", "&gt;" )
+	str = string.gsub (str, ">", "&gt;" )
+	str = string.gsub (str, "'", "&#39;" )
+	return string.gsub (str, '"', "&quot;" )
 end
 
 --  return a name,value pair as a string.  
@@ -55,7 +57,7 @@ local nv_pair = function ( name, value)
 	if ( value == nil ) then
 		return ( "" )
 	else
-		return (string.format (' %s="%s" ', name , ( value or "" ) ))
+		return (string.format (' %s="%s" ', html_escape(name) , html_escape(value) ))
 	end
 end
 
@@ -87,7 +89,7 @@ local generic_input = function ( field_type, v )
 		return nil
 	end
 	
-	local str = string.format ( '<input class="%s" type="%s" ', field_type,field_type )
+	local str = string.format ( '<input class="%s" type="%s" ', html_escape(field_type), html_escape(field_type) )
 
 	for i,k in ipairs ( {
 			"name", "size", "checked", "maxlength", 
@@ -125,7 +127,7 @@ form.longtext = function ( v )
 		str = str .. nv_pair ( k, v[k] )
 	end
 	str = str .. nv_pair (nil, v.disabled)
-	return ( str .. ">" .. (v.value or "" ) .. "</textarea>" )
+	return ( str .. ">" .. html_escape(v.value) .. "</textarea>" )
 end
 
 
@@ -201,10 +203,10 @@ function form.select ( v )
 			str = str .. " selected"
 			selected = true
 		end
-		str = str .. nv_pair("value", val) .. ">" .. k .. "</option>"
+		str = str .. nv_pair("value", val) .. ">" .. html_escape(val) .. "</option>"
 	end
 	if not selected then
-		str = str .. '<option selected value="' .. v.value ..'">[' .. v.value .. ']</option>'
+		str = str .. '<option selected value="' .. html_escape(v.value) ..'">[' .. html_escape(v.value) .. ']</option>'
 	end
 	str = str .. "</select>"
 	return (str)
@@ -224,9 +226,9 @@ function form.start ( v)
 	local method = v.method or "get"
 	return ( string.format (
 			'<form %s%s%s>',
-			nv_pair ( "class", v.class ), 
-			nv_pair ( "method", v.method), 
-			nv_pair (	"action", v.action )
+			nv_pair ( "class", html_escape(v.class) ), 
+			nv_pair ( "method", html_escape(v.method) ), 
+			nv_pair (	"action", html_escape(v.action) )
 		) )
 end
 	
@@ -240,9 +242,9 @@ end
 function entity (tag, text, class, id)
 	return ( string.format (
 			"<%s%s%s>%s</%s>",
-			tag, 
+			html_escape(tag),
 			nv_pair ("class", class),
-			nv_pair("id", id), text , tag)
+			nv_pair("id", id), html_escape(text), html_escape(tag))
 		)
 end
 	 
@@ -256,7 +258,7 @@ function link ( v )
 		str = str .. nv_pair ( k, v[k] )
 	end
 
-	return ( "<a " .. str .. ">" .. (v.label or "" ) .. "</a>" )
+	return ( "<a " .. str .. ">" .. html_escape(v.label) .. "</a>" )
 end
 
 
@@ -265,7 +267,7 @@ end
 function cfe_unpack ( a )
 	if type(a) == "table" then
 	value = session.serialize("cfe", a)
-	value = "<pre>" .. value .. "</pre>"
+	value = "<pre>" .. html_escape(value) .. "</pre>"
 	return value
 	end
 
diff --git a/lib/viewfunctions.lua b/lib/viewfunctions.lua
index 139b6f6..f1c5436 100644
--- a/lib/viewfunctions.lua
+++ b/lib/viewfunctions.lua
@@ -1,3 +1,4 @@
+require("html")
 
 function displayinfo(myform,tags,viewtype)
 	for k,v in pairs(tags) do 
@@ -91,11 +92,11 @@ function displayitem(myitem)
 		myitem.class = "error"
 		io.write(" class='error'")
 	end
-	io.write(">" .. myitem.label .. "</DT>\n")
+	io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n")
 	io.write("<DD>")
-	io.write(string.gsub(tostring(myitem.value), "\n", "<BR>") .. "\n")
-	if myitem.descr then io.write("<P CLASS='descr'>" .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end
-	if myitem.errtxt then io.write("<P CLASS='error'>" .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end
+	io.write(string.gsub(html.html_escape(tostring(myitem.value)), "\n", "<BR>") .. "\n")
+	if myitem.descr then io.write("<P CLASS='descr'>" .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end
+	if myitem.errtxt then io.write("<P CLASS='error'>" .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end
 	io.write("</DD>\n")
 end
 
@@ -108,7 +109,7 @@ function displayformitem(myitem, name, viewtype)
 			myitem.class = "error"
 			io.write(' class="error"')
 		end
-		io.write(">" .. myitem.label .. "</DT>\n")
+		io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n")
 		io.write("<DD>\n")
 	end
 	if (viewtype == "viewonly") then
@@ -131,7 +132,7 @@ function displayformitem(myitem, name, viewtype)
 			myitem.value = val
 			myitem.checked = reverseval[val]
 			myitem.name = tempname .. "." .. x
-			io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+			io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 		end
 		-- Check for values not in options
 		if myitem.errtxt then
@@ -142,7 +143,7 @@ function displayformitem(myitem, name, viewtype)
 			if not reverseopt[val] then
 				myitem.value = val
 				myitem.checked = true
-				io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+				io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 			end
 		end
 		if myitem.errtxt then
@@ -161,8 +162,8 @@ function displayformitem(myitem, name, viewtype)
 		io.write((html.form[myitem.type](myitem) or "") .. "\n")
 	end
 	if myitem.type ~= "hidden" then
-		if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end
-		if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end
+		if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end
+		if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end
 		io.write("</DD>\n")
 	end
 end
@@ -172,9 +173,9 @@ function displayformstart(myform, page_info)
 	if not myform.action and page_info then
 		myform.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	end
-	if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(myform.descr, "\n", "<BR>") .. "</P>\n") end
-	if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(myform.errtxt, "\n", "<BR>") .. "</P>\n") end
-	io.write('<form action="' .. (myform.action or "") .. '" method="POST">\n')
+	if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myform.descr), "\n", "<BR>") .. "</P>\n") end
+	if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myform.errtxt), "\n", "<BR>") .. "</P>\n") end
+	io.write('<form action="' .. html.html_escape(myform.action) .. '" method="POST">\n')
 	if myform.value.redir then
 		displayformitem(myform.value.redir, "redir")
 	end
@@ -221,7 +222,7 @@ end
 function displayformend(myform)
 	if not myform then return end
 	io.write('<DL>\n')
-	io.write('<DT></DT><DD><input class="submit" type="submit" name="' .. myform.option .. '" value="' .. (myform.submit or myform.option) .. '"></DD>\n')
+	io.write('<DT></DT><DD><input class="submit" type="submit" name="' .. html.html_escape(myform.option) .. '" value="' .. html.html_escape(myform.submit or myform.option) .. '"></DD>\n')
 	io.write('</DL>\n')
 	io.write('</FORM>')
 end
@@ -239,9 +240,9 @@ function displaycommandresults(commands, session, preserveerrors)
 	if #cmdresult > 0 then
 		io.write("<H1>Command Result</H1>\n<DL>\n")
 		for i,result in ipairs(cmdresult) do
-			if type(result.value) == "string" and result.value ~= "" then io.write(result.value:gsub("\n", "<BR>") .. "\n") end
-			if result.descr then io.write('<P CLASS="descr">' .. string.gsub(result.descr, "\n", "<BR>") .. "</P>\n") end
-			if result.errtxt then io.write('<P CLASS="error">' .. string.gsub(result.errtxt, "\n", "<BR>") .. "</P>\n") end
+			if type(result.value) == "string" and result.value ~= "" then io.write(string.gsub(html.html_escape(result.value), "\n", "<BR>") .. "\n") end
+			if result.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(result.descr), "\n", "<BR>") .. "</P>\n") end
+			if result.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(result.errtxt), "\n", "<BR>") .. "</P>\n") end
 		end
 		io.write("</DL>\n")
 	end
-- 
cgit v1.2.3