diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2009-01-15 21:44:39 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2009-01-15 21:44:39 +0000 |
| commit | 82bba5703c4c02d30b6c0a3c1fa7d5f692147882 (patch) | |
| tree | eebcce26e11c9e6bd64861989293a440be8beb3b | |
| parent | 585b049c9a3f424faa33faaf0b9c19a0eec73a15 (diff) | |
| download | acf-gnats-82bba5703c4c02d30b6c0a3c1fa7d5f692147882.tar.bz2 acf-gnats-82bba5703c4c02d30b6c0a3c1fa7d5f692147882.tar.xz | |
Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them.
git-svn-id: svn://svn.alpinelinux.org/acf/gnats/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
| -rw-r--r-- | gnats-edit-html.lsp | 4 | ||||
| -rw-r--r-- | gnats-editpr-html.lsp | 42 | ||||
| -rw-r--r-- | gnats-expert-html.lsp | 4 | ||||
| -rw-r--r-- | gnats-query-html.lsp | 18 | ||||
| -rw-r--r-- | gnats-queryeditpr-html.lsp | 18 | ||||
| -rw-r--r-- | gnats-queryresult-html.lsp | 50 | ||||
| -rw-r--r-- | gnats-report-html.lsp | 18 | ||||
| -rw-r--r-- | gnats-summary-html.lsp | 12 |
8 files changed, 83 insertions, 83 deletions
diff --git a/gnats-edit-html.lsp b/gnats-edit-html.lsp index 9cc3514..c8e46ca 100644 --- a/gnats-edit-html.lsp +++ b/gnats-edit-html.lsp @@ -25,7 +25,7 @@ displayinfo(myform,tags,"viewonly") <DL> <% local myform = form.file -io.write('<input type="hidden" value="' .. myform.filename.value .. '" name="name">') +io.write('<input type="hidden" value="' .. html.html_escape(myform.filename.value) .. '" name="name">') local tags = { "filename", "filesize", "mtime", "sumerrors", } displayinfo(myform,tags,"viewonly") %> @@ -34,7 +34,7 @@ displayinfo(myform,tags,"viewonly") <H3>FILE CONTENT</H3> <% local myform = form.file -io.write('<input type="hidden" value="' .. myform.filename.value .. '" name="name">') +io.write('<input type="hidden" value="' .. html.html_escape(myform.filename.value) .. '" name="name">') io.write(html.form[myform.filecontent.type](myform.filecontent)) %> diff --git a/gnats-editpr-html.lsp b/gnats-editpr-html.lsp index c6f2a07..21ae9ab 100644 --- a/gnats-editpr-html.lsp +++ b/gnats-editpr-html.lsp @@ -17,43 +17,43 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "</DT>") + io.write(">" .. html.html_escape(val.label) .. "</DT>") io.write("\n\t\t<DD>") if (viewtype == "viewonly") then - if not (val.value) or (val.value == "") then val.value = " " end - io.write(val.value) + if not (val.value) or (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("<span style='display:inline' class='" .. ( val.class or "") .. "'>") + io.write("<span style='display:inline' class='" .. html.html_escape(val.class) .. "'>") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. ( val.class or "") .. "' name='" .. val.name .. "'") + io.write("\n\t\t\t"..html.html_escape(tostring(v1)) .. ":") + io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. html.html_escape(val.class) .. "' name='" .. html.html_escape(val.name) .. "'") if (tostring(val.value) == tostring(v1)) then io.write(" checked='yes'") end - io.write(" value='" .. v1 .. "'>") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t</input></span>") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(val.descr, "\n", "<BR>") .. "</P>") end - if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(html.html_escape(val.descr), "\n", "<BR>") .. "</P>") end + if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>") end io.write("\n\t\t</DD>\n") end end end %> -<H1><% io.write(form["query"]["sfields"]["category"]["value"] .. "/") -io.write(form["query"]["sfields"]["number"]["value"] .. ": " ) -io.write(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")%></H1> +<H1><% io.write(html.html_escape(form["query"]["sfields"]["category"]["value"] .. "/")) +io.write(html.html_escape(form["query"]["sfields"]["number"]["value"] .. ": " )) +io.write(html.html_escape(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")) %></H1> <H2>Header</H2> <DL> <% local h = form.query.header %> -<dt>From</dt><dd><%= h.from.value %></dd> -<dt>Date</dt><dd><%= h.date.value %></dd> -<dt>Subject</dt><dd><%= h.subject.value %></dd> +<dt>From</dt><dd><%= html.html_escape(h.from.value) %></dd> +<dt>Date</dt><dd><%= html.html_escape(h.date.value) %></dd> +<dt>Subject</dt><dd><%= html.html_escape(h.subject.value) %></dd> </DL> <H2>Details</H2> @@ -71,7 +71,7 @@ local tags = {"organization", "environment", "description", "how_to_repeat", "fi for k,v in pairs(tags) do local myform=myform[v] %> -<H2><% io.write(myform.label) %></H2> +<H2><% io.write(html.html_escape(myform.label)) %></H2> <DL> <% io.write(html.form[myform.type](myform)) %> </DL> @@ -90,16 +90,16 @@ table {margin:10px;margin-top:5px;border:1px solid #aaa;background:#eee;} <% local myform = form.query["mfields"]["audit_trail"] %> -<H2><% io.write(myform.label) %></H2> +<H2><% io.write(html.html_escape(myform.label)) %></H2> <DL> <% for k,v in pairs(myform.option) do io.write("\n<TABLE STYLE='width:98%;'>") if (#v.label > 0) then - io.write("<TR CLASS='" .. (v.class or "") .. "'><TD COLSPAN=2 CLASS='Header'>" .. (v.label or "Uknown") .. "</TD></TR>") + io.write("<TR CLASS='" .. html.html_escape(v.class) .. "'><TD COLSPAN=2 CLASS='Header'>" .. html.html_escape(v.label or "Uknown") .. "</TD></TR>") end for i=1,#v do - io.write("<TR><TD WIDTH='100%'><PRE>" .. (v[i] or "Uknown") .. "</PRE></TD></TR>") + io.write("<TR><TD WIDTH='100%'><PRE>" .. html.html_escape(v[i] or "Uknown") .. "</PRE></TD></TR>") end io.write("\n</TABLE>") end @@ -112,9 +112,9 @@ local tags = {"unformatted", } for k,v in pairs(tags) do local myform=myform[v] %> -<H2><% io.write(myform.label) %></H2> +<H2><% io.write(html.html_escape(myform.label)) %></H2> <DL> -<PRE><% io.write(myform.value) %></PRE> +<PRE><% io.write(html.html_escape(myform.value)) %></PRE> </DL> <% end %> diff --git a/gnats-expert-html.lsp b/gnats-expert-html.lsp index 5bd4db6..84c7f42 100644 --- a/gnats-expert-html.lsp +++ b/gnats-expert-html.lsp @@ -34,9 +34,9 @@ for k,v in pairs(myform.option) do </TABLE> -<form action="<%= form.option.script .. "/" .. form.option.prefix .. +<form action="<%= html.html_escape(form.option.script .. "/" .. form.option.prefix .. form.option.controller .. "/" .. form.option.action .. - (form.option.extra or "") %>" method="POST"> + (form.option.extra or "")) %>" method="POST"> <% -- Management buttons local myform = form.management diff --git a/gnats-query-html.lsp b/gnats-query-html.lsp index 98e1bf6..f955df1 100644 --- a/gnats-query-html.lsp +++ b/gnats-query-html.lsp @@ -35,25 +35,25 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "</DT>") + io.write(">" .. html.html_escape(val.label) .. "</DT>") io.write("\n\t\t<DD>") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("<span style='display:inline' class='" .. ( val.class or "") .. "'>") + io.write("<span style='display:inline' class='" .. html.html_escape(val.class) .. "'>") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. ( val.class or "") .. "' name='" .. val.name .. "'") + io.write("\n\t\t\t"..html.html_escape(tostring(v1)) .. ":") + io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. html.html_escape(val.class) .. "' name='" .. html.html_escape(val.name) .. "'") if (tostring(val.value) == tostring(v1)) then io.write(" checked='yes'") end - io.write(" value='" .. v1 .. "'>") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t</input></span>") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(val.descr, "\n", "<BR>") .. "</P>") end - if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(html.html_escape(val.descr), "\n", "<BR>") .. "</P>") end + if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>") end io.write("\n\t\t</DD>\n") end end diff --git a/gnats-queryeditpr-html.lsp b/gnats-queryeditpr-html.lsp index 247c5a8..8b0de9f 100644 --- a/gnats-queryeditpr-html.lsp +++ b/gnats-queryeditpr-html.lsp @@ -17,25 +17,25 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "</DT>") + io.write(">" .. html.html_escape(val.label) .. "</DT>") io.write("\n\t\t<DD>") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("<span style='display:inline' class='" .. ( val.class or "") .. "'>") + io.write("<span style='display:inline' class='" .. html.html_escape(val.class) .. "'>") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. ( val.class or "") .. "' name='" .. val.name .. "'") + io.write("\n\t\t\t"..html.html_escape(tostring(v1)) .. ":") + io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. html.html_escape(val.class) .. "' name='" .. html.html_escape(val.name) .. "'") if (tostring(val.value) == tostring(v1)) then io.write(" checked='yes'") end - io.write(" value='" .. v1 .. "'>") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t</input></span>") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(val.descr, "\n", "<BR>") .. "</P>") end - if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(html.html_escape(val.descr), "\n", "<BR>") .. "</P>") end + if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>") end io.write("\n\t\t</DD>\n") end end diff --git a/gnats-queryresult-html.lsp b/gnats-queryresult-html.lsp index b6b76bb..628043a 100644 --- a/gnats-queryresult-html.lsp +++ b/gnats-queryresult-html.lsp @@ -19,34 +19,34 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "</DT>") + io.write(">" .. html.html_escape(val.label) .. "</DT>") io.write("\n\t\t<DD>") if (viewtype == "viewonly") then - if not (val.value) or (val.value == "") then val.value = " " end - io.write(val.value) + if not (val.value) or (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("<span style='display:inline' class='" .. ( val.class or "") .. "'>") + io.write("<span style='display:inline' class='" .. html.html_escape(val.class) .. "'>") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. ( val.class or "") .. "' name='" .. val.name .. "'") + io.write("\n\t\t\t"..html.html_escape(tostring(v1)) .. ":") + io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. html.html_escape(val.class) .. "' name='" .. html.html_escape(val.name) .. "'") if (tostring(val.value) == tostring(v1)) then io.write(" checked='yes'") end - io.write(" value='" .. v1 .. "'>") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t</input></span>") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(val.descr, "\n", "<BR>") .. "</P>") end - if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(html.html_escape(val.descr), "\n", "<BR>") .. "</P>") end + if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>") end io.write("\n\t\t</DD>\n") end end end %> -<H1><% io.write(form["query"]["sfields"]["category"]["value"] .. "/") -io.write(form["query"]["sfields"]["number"]["value"] .. ": " ) -io.write(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")%></H1> +<H1><% io.write(html.html_escape(form["query"]["sfields"]["category"]["value"] .. "/")) +io.write(html.html_escape(form["query"]["sfields"]["number"]["value"] .. ": " )) +io.write(html.html_escape(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object"))%></H1> <DL> <% @@ -71,9 +71,9 @@ local tags = {"environment", "description", "how_to_repeat", "fix", } for k,v in pairs(tags) do local myform=myform[v] %> -<H2><% io.write(myform.label) %></H2> +<H2><%= html.html_escape(myform.label) %></H2> <DL> -<PRE><% io.write(myform.value) %></PRE> +<PRE><%= html.html_escape(myform.value) %></PRE> </DL> <% end %> @@ -90,16 +90,16 @@ table {margin:10px;margin-top:5px;border:1px solid #aaa;background:#eee;} <% local myform = form.query["mfields"]["audit_trail"] %> -<H2><% io.write(myform.label) %></H2> +<H2><%= html.html_escape(myform.label) %></H2> <DL> <% for k,v in pairs(myform.option) do io.write("\n<TABLE STYLE='width:98%;'>") if (#v.label > 0) then - io.write("<TR CLASS='" .. (v.class or "") .. "'><TD COLSPAN=2 CLASS='Header'>" .. (v.label or "Uknown") .. "</TD></TR>") + io.write("<TR CLASS='" .. html.html_escape(v.class) .. "'><TD COLSPAN=2 CLASS='Header'>" .. html.html_escape(v.label or "Uknown") .. "</TD></TR>") end for i=1,#v do - io.write("<TR><TD WIDTH='100%'><PRE>" .. (v[i] or "Uknown") .. "</PRE></TD></TR>") + io.write("<TR><TD WIDTH='100%'><PRE>" .. html.html_escape(v[i] or "Uknown") .. "</PRE></TD></TR>") end io.write("\n</TABLE>") end @@ -112,9 +112,9 @@ local tags = {"unformatted", } for k,v in pairs(tags) do local myform=myform[v] %> -<H2><% io.write(myform.label) %></H2> +<H2><%= html.html_escape(myform.label) %></H2> <DL> -<PRE><% io.write(myform.value) %></PRE> +<PRE><%= html.html_escape(myform.value) %></PRE> </DL> <% end %> @@ -176,12 +176,12 @@ DL { padding-top: 5px; } <% for k,v in pairs(form.summary) do %> - <tr class='<% io.write(string.sub(v.state,1,1)) %>'> - <td width='30px'><A HREF='queryresult?pr=<% io.write(v.number) %>' STYLE='font-weight:bold;'><% io.write(v.number or "") %></A></td> - <td width='15px'><% io.write(string.sub(v.state,1,1) or "") %></td> - <td width='80px'><% io.write(v.submit_date or "") %></td> - <td width='80px'><% io.write(v.severity or "")%></td> - <td style='white-space:normal;word-wrap:break-word'><% io.write(v.synopsis) %></td> + <tr class='<%= html.html_escape(string.sub(v.state,1,1)) %>'> + <td width='30px'><A HREF='queryresult?pr=<%= html.html_escape(v.number) %>' STYLE='font-weight:bold;'><%= html.html_escape(v.number) %></A></td> + <td width='15px'><%= html.html_escape(string.sub(v.state,1,1)) %></td> + <td width='80px'><%= html.html_escape(v.submit_date) %></td> + <td width='80px'><%= html.html_escape(v.severity) %></td> + <td style='white-space:normal;word-wrap:break-word'><%= html.html_escape(v.synopsis) %></td> </tr> <% end %> diff --git a/gnats-report-html.lsp b/gnats-report-html.lsp index a64541e..982355f 100644 --- a/gnats-report-html.lsp +++ b/gnats-report-html.lsp @@ -16,19 +16,19 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "</DT>") + io.write(">" .. html.html_escape(val.label) .. "</DT>") io.write("\n\t\t<DD>") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") then if (#val.option > 0) then - io.write("<span style='display:inline' class='" .. ( val.class or "") .. "'>") + io.write("<span style='display:inline' class='" .. html.html_escape(val.class) .. "'>") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. ( val.class or "") .. "' name='" .. val.name .. "'") + io.write("\n\t\t\t"..html.html_escape(tostring(v1)) .. ":") + io.write("<input style='margin-right:20px;margin-left:5px;' type='radio' class='" .. html.html_escape(val.class) .. "' name='" .. html.html_escape(val.name) .. "'") if (tostring(val.value) == tostring(v1)) then io.write(" checked='yes'") end - io.write(" value='" .. v1 .. "'>") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t</input></span>") else @@ -37,8 +37,8 @@ function displayinfo(myform,tags,viewtype) else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(val.descr, "\n", "<BR>") .. "</P>") end - if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t<P CLASS='descr'>" .. string.gsub(html.html_escape(val.descr), "\n", "<BR>") .. "</P>") end + if (val.errtxt) then io.write("\n\t\t<P CLASS='error'>" .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>") end io.write("\n\t\t</DD>\n") end end diff --git a/gnats-summary-html.lsp b/gnats-summary-html.lsp index adc6e74..441368a 100644 --- a/gnats-summary-html.lsp +++ b/gnats-summary-html.lsp @@ -55,12 +55,12 @@ DL { padding-top: 5px; } <% for k,v in pairs(form.summary) do %> - <tr class='<% io.write(string.sub(v.state,1,1)) %>'> - <td width='30px'><A HREF='queryresult?pr=<% io.write(v.number) %>' STYLE='font-weight:bold;'><% io.write(v.number or "") %></A></td> - <td width='15px'><% io.write(string.sub(v.state,1,1) or "") %></td> - <td width='80px'><% io.write(v.submit_date or "") %></td> - <td width='80px'><% io.write(v.severity or "")%></td> - <td style='white-space:normal;word-wrap:break-word'><% io.write(v.synopsis) %></td> + <tr class='<%= html.html_escape(string.sub(v.state,1,1)) %>'> + <td width='30px'><A HREF='queryresult?pr=<%= html.html_escape(v.number) %>' STYLE='font-weight:bold;'><%= html.html_escape(v.number) %></A></td> + <td width='15px'><%= html.html_escape(string.sub(v.state,1,1)) %></td> + <td width='80px'><%= html.html_escape(v.submit_date) %></td> + <td width='80px'><%= html.html_escape(v.severity) %></td> + <td style='white-space:normal;word-wrap:break-word'><%= html.html_escape(v.synopsis) %></td> </tr> <% end %> |