From 82bba5703c4c02d30b6c0a3c1fa7d5f692147882 Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Thu, 15 Jan 2009 21:44:39 +0000 Subject: Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them. git-svn-id: svn://svn.alpinelinux.org/acf/gnats/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed --- gnats-edit-html.lsp | 4 ++-- gnats-editpr-html.lsp | 42 +++++++++++++++++++------------------- gnats-expert-html.lsp | 4 ++-- gnats-query-html.lsp | 18 ++++++++--------- gnats-queryeditpr-html.lsp | 18 ++++++++--------- gnats-queryresult-html.lsp | 50 +++++++++++++++++++++++----------------------- gnats-report-html.lsp | 18 ++++++++--------- gnats-summary-html.lsp | 12 +++++------ 8 files changed, 83 insertions(+), 83 deletions(-) diff --git a/gnats-edit-html.lsp b/gnats-edit-html.lsp index 9cc3514..c8e46ca 100644 --- a/gnats-edit-html.lsp +++ b/gnats-edit-html.lsp @@ -25,7 +25,7 @@ displayinfo(myform,tags,"viewonly")
<% local myform = form.file -io.write('') +io.write('') local tags = { "filename", "filesize", "mtime", "sumerrors", } displayinfo(myform,tags,"viewonly") %> @@ -34,7 +34,7 @@ displayinfo(myform,tags,"viewonly")

FILE CONTENT

<% local myform = form.file -io.write('') +io.write('') io.write(html.form[myform.filecontent.type](myform.filecontent)) %> diff --git a/gnats-editpr-html.lsp b/gnats-editpr-html.lsp index c6f2a07..21ae9ab 100644 --- a/gnats-editpr-html.lsp +++ b/gnats-editpr-html.lsp @@ -17,43 +17,43 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "") + io.write(">" .. html.html_escape(val.label) .. "") io.write("\n\t\t
") if (viewtype == "viewonly") then - if not (val.value) or (val.value == "") then val.value = " " end - io.write(val.value) + if not (val.value) or (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("") + io.write("") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(val.descr, "\n", "
") .. "

") end - if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(val.errtxt, "\n", "
") .. "

") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.descr), "\n", "
") .. "

") end + if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

") end io.write("\n\t\t
\n") end end end %> -

<% io.write(form["query"]["sfields"]["category"]["value"] .. "/") -io.write(form["query"]["sfields"]["number"]["value"] .. ": " ) -io.write(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")%>

+

<% io.write(html.html_escape(form["query"]["sfields"]["category"]["value"] .. "/")) +io.write(html.html_escape(form["query"]["sfields"]["number"]["value"] .. ": " )) +io.write(html.html_escape(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")) %>

Header

<% local h = form.query.header %> -
From
<%= h.from.value %>
-
Date
<%= h.date.value %>
-
Subject
<%= h.subject.value %>
+
From
<%= html.html_escape(h.from.value) %>
+
Date
<%= html.html_escape(h.date.value) %>
+
Subject
<%= html.html_escape(h.subject.value) %>

Details

@@ -71,7 +71,7 @@ local tags = {"organization", "environment", "description", "how_to_repeat", "fi for k,v in pairs(tags) do local myform=myform[v] %> -

<% io.write(myform.label) %>

+

<% io.write(html.html_escape(myform.label)) %>

<% io.write(html.form[myform.type](myform)) %>
@@ -90,16 +90,16 @@ table {margin:10px;margin-top:5px;border:1px solid #aaa;background:#eee;} <% local myform = form.query["mfields"]["audit_trail"] %> -

<% io.write(myform.label) %>

+

<% io.write(html.html_escape(myform.label)) %>

<% for k,v in pairs(myform.option) do io.write("\n") if (#v.label > 0) then - io.write("") + io.write("") end for i=1,#v do - io.write("") + io.write("") end io.write("\n
" .. (v.label or "Uknown") .. "
" .. html.html_escape(v.label or "Uknown") .. "
" .. (v[i] or "Uknown") .. "
" .. html.html_escape(v[i] or "Uknown") .. "
") end @@ -112,9 +112,9 @@ local tags = {"unformatted", } for k,v in pairs(tags) do local myform=myform[v] %> -

<% io.write(myform.label) %>

+

<% io.write(html.html_escape(myform.label)) %>

-
<% io.write(myform.value) %>
+
<% io.write(html.html_escape(myform.value)) %>
<% end %> diff --git a/gnats-expert-html.lsp b/gnats-expert-html.lsp index 5bd4db6..84c7f42 100644 --- a/gnats-expert-html.lsp +++ b/gnats-expert-html.lsp @@ -34,9 +34,9 @@ for k,v in pairs(myform.option) do -
" method="POST"> + (form.option.extra or "")) %>" method="POST"> <% -- Management buttons local myform = form.management diff --git a/gnats-query-html.lsp b/gnats-query-html.lsp index 98e1bf6..f955df1 100644 --- a/gnats-query-html.lsp +++ b/gnats-query-html.lsp @@ -35,25 +35,25 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "") + io.write(">" .. html.html_escape(val.label) .. "") io.write("\n\t\t
") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("") + io.write("") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(val.descr, "\n", "
") .. "

") end - if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(val.errtxt, "\n", "
") .. "

") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.descr), "\n", "
") .. "

") end + if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

") end io.write("\n\t\t
\n") end end diff --git a/gnats-queryeditpr-html.lsp b/gnats-queryeditpr-html.lsp index 247c5a8..8b0de9f 100644 --- a/gnats-queryeditpr-html.lsp +++ b/gnats-queryeditpr-html.lsp @@ -17,25 +17,25 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "") + io.write(">" .. html.html_escape(val.label) .. "") io.write("\n\t\t
") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("") + io.write("") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(val.descr, "\n", "
") .. "

") end - if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(val.errtxt, "\n", "
") .. "

") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.descr), "\n", "
") .. "

") end + if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

") end io.write("\n\t\t
\n") end end diff --git a/gnats-queryresult-html.lsp b/gnats-queryresult-html.lsp index b6b76bb..628043a 100644 --- a/gnats-queryresult-html.lsp +++ b/gnats-queryresult-html.lsp @@ -19,34 +19,34 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "") + io.write(">" .. html.html_escape(val.label) .. "") io.write("\n\t\t
") if (viewtype == "viewonly") then - if not (val.value) or (val.value == "") then val.value = " " end - io.write(val.value) + if not (val.value) or (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") and (#val.option > 0) then - io.write("") + io.write("") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t") else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(val.descr, "\n", "
") .. "

") end - if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(val.errtxt, "\n", "
") .. "

") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.descr), "\n", "
") .. "

") end + if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

") end io.write("\n\t\t
\n") end end end %> -

<% io.write(form["query"]["sfields"]["category"]["value"] .. "/") -io.write(form["query"]["sfields"]["number"]["value"] .. ": " ) -io.write(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object")%>

+

<% io.write(html.html_escape(form["query"]["sfields"]["category"]["value"] .. "/")) +io.write(html.html_escape(form["query"]["sfields"]["number"]["value"] .. ": " )) +io.write(html.html_escape(form["query"]["sfields"]["synopsis"]["value"] or form["query"]["header"]["subject"]["value"] or "Qurery object"))%>

<% @@ -71,9 +71,9 @@ local tags = {"environment", "description", "how_to_repeat", "fix", } for k,v in pairs(tags) do local myform=myform[v] %> -

<% io.write(myform.label) %>

+

<%= html.html_escape(myform.label) %>

-
<% io.write(myform.value) %>
+
<%= html.html_escape(myform.value) %>
<% end %> @@ -90,16 +90,16 @@ table {margin:10px;margin-top:5px;border:1px solid #aaa;background:#eee;} <% local myform = form.query["mfields"]["audit_trail"] %> -

<% io.write(myform.label) %>

+

<%= html.html_escape(myform.label) %>

<% for k,v in pairs(myform.option) do io.write("\n") if (#v.label > 0) then - io.write("") + io.write("") end for i=1,#v do - io.write("") + io.write("") end io.write("\n
" .. (v.label or "Uknown") .. "
" .. html.html_escape(v.label or "Uknown") .. "
" .. (v[i] or "Uknown") .. "
" .. html.html_escape(v[i] or "Uknown") .. "
") end @@ -112,9 +112,9 @@ local tags = {"unformatted", } for k,v in pairs(tags) do local myform=myform[v] %> -

<% io.write(myform.label) %>

+

<%= html.html_escape(myform.label) %>

-
<% io.write(myform.value) %>
+
<%= html.html_escape(myform.value) %>
<% end %> @@ -176,12 +176,12 @@ DL { padding-top: 5px; } <% for k,v in pairs(form.summary) do %> - - <% io.write(v.number or "") %> - <% io.write(string.sub(v.state,1,1) or "") %> - <% io.write(v.submit_date or "") %> - <% io.write(v.severity or "")%> - <% io.write(v.synopsis) %> + + <%= html.html_escape(v.number) %> + <%= html.html_escape(string.sub(v.state,1,1)) %> + <%= html.html_escape(v.submit_date) %> + <%= html.html_escape(v.severity) %> + <%= html.html_escape(v.synopsis) %> <% end %> diff --git a/gnats-report-html.lsp b/gnats-report-html.lsp index a64541e..982355f 100644 --- a/gnats-report-html.lsp +++ b/gnats-report-html.lsp @@ -16,19 +16,19 @@ function displayinfo(myform,tags,viewtype) val.class = "error" io.write(" class='error'") end - io.write(">" .. val.label .. "") + io.write(">" .. html.html_escape(val.label) .. "") io.write("\n\t\t
") if (viewtype == "viewonly") then - if (val.value == "") then val.value = " " end - io.write(val.value) + if (val.value == "") then val.value = " " end + io.write(html.html_escape(val.value)) elseif (val.type == "radio") and (type(val.option) == "table") then if (#val.option > 0) then - io.write("") + io.write("") for k1,v1 in pairs(val.option) do - io.write("\n\t\t\t"..tostring(v1) .. ":") - io.write("") + io.write(" value='" .. html.html_escape(v1) .. "'>") end io.write("\n\t\t\t") else @@ -37,8 +37,8 @@ function displayinfo(myform,tags,viewtype) else io.write(html.form[val.type](val)) end - if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(val.descr, "\n", "
") .. "

") end - if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(val.errtxt, "\n", "
") .. "

") end + if (val.descr) and (#val.descr > 0) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.descr), "\n", "
") .. "

") end + if (val.errtxt) then io.write("\n\t\t

" .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

") end io.write("\n\t\t
\n") end end diff --git a/gnats-summary-html.lsp b/gnats-summary-html.lsp index adc6e74..441368a 100644 --- a/gnats-summary-html.lsp +++ b/gnats-summary-html.lsp @@ -55,12 +55,12 @@ DL { padding-top: 5px; } <% for k,v in pairs(form.summary) do %> - - <% io.write(v.number or "") %> - <% io.write(string.sub(v.state,1,1) or "") %> - <% io.write(v.submit_date or "") %> - <% io.write(v.severity or "")%> - <% io.write(v.synopsis) %> + + <%= html.html_escape(v.number) %> + <%= html.html_escape(string.sub(v.state,1,1)) %> + <%= html.html_escape(v.submit_date) %> + <%= html.html_escape(v.severity) %> + <%= html.html_escape(v.synopsis) %> <% end %> -- cgit v1.2.3