From a89437b3c168e6d5f38b8e577f31ea89f5c9c8d0 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/tinydns/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 tinydns-config-html.lsp          |  2 +-
 tinydns-edit-html.lsp            | 18 +++++++++---------
 tinydns-html.lsp                 |  2 +-
 tinydns-listfiles-html.lsp       |  6 +++---
 tinydns-listpermissions-html.lsp |  6 +++---
 tinydns-status-html.lsp          |  4 ++--
 tinydns-view-html.lsp            | 26 +++++++++++++-------------
 7 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/tinydns-config-html.lsp b/tinydns-config-html.lsp
index 1193b65..9f10a4c 100755
--- a/tinydns-config-html.lsp
+++ b/tinydns-config-html.lsp
@@ -15,7 +15,7 @@ io.write("</span>")
 	viewlibrary.dispatch_component("status")
 end %>
 
-<h1><%= form.label %></h1>
+<h1><%= html.html_escape(form.label) %></h1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	displayform(form)
diff --git a/tinydns-edit-html.lsp b/tinydns-edit-html.lsp
index f8d8dbb..785589a 100644
--- a/tinydns-edit-html.lsp
+++ b/tinydns-edit-html.lsp
@@ -35,9 +35,9 @@
 		var entrytext = entry.find("select").val() + entry.find("input:not(.submit)").map(function(){
 			if (this.name == "fixme") {
 				if ($(this).val() != "")
-					return $(this).val() + ".<%= domain %>";
+					return $(this).val() + ".<%= html.html_escape(domain) %>";
 				else
-					return "<%= domain %>";
+					return "<%= html.html_escape(domain) %>";
 			} else {
 				return $(this).val();
 			}
@@ -70,11 +70,11 @@
 		for (i=0; i<entryType.num; i++){
 			if (entries[i] === null) { entries[i] = ""; }
 			if (entryType.descriptions[i] == "Domain" || entryType.descriptions[i] == "Alias" || entryType.descriptions[i] == "Host" )
-				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(domain, "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= domain %></dd>';
+				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(html.html_escape(domain), "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= html.html_escape(domain) %></dd>';
 			else
 				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i] + '"></dd>';
 		}
-		form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= form.option %>"></DD>';
+		form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= html.html_escape(form.option) %>"></DD>';
 		form = form + "\n</dl>";
 		entry.empty().append(form);
 		entry.find("select").change(function(){
@@ -83,7 +83,7 @@
 			createForm(entry);
 		});
 		entry.find("input.submit").click(function() {
-			$("input[name='<%= form.option %>']").click();
+			$("input[name='<%= html.html_escape(form.option) %>']").click();
 		});
 	}
 	function editLine(){
@@ -157,8 +157,8 @@ displayitem(form.value.mtime)
 </DL>
 
 <H3>File Entries</H3>
-<% if form.descr then %><P CLASS='descr'><%= string.gsub(form.descr, "\n", "<BR>") %></P><% end %>
-<% if form.errtxt then %><P CLASS='error'><%= string.gsub(form.errtxt, "\n", "<BR>") %></P><% end %>
+<% if form.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.descr), "\n", "<BR>") %></P><% end %>
+<% if form.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.errtxt), "\n", "<BR>") %></P><% end %>
 <TABLE id="entries">
 <% for line in string.gmatch(html.html_escape(form.value.filecontent.value).."\n", "([^\n]*)\n") do %>
 	<TR>
@@ -166,11 +166,11 @@ displayitem(form.value.mtime)
 	</TR>
 <% end %>
 </TABLE>
-<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %>
+<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %>
 
 <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>
 <% displayformstart(form) %>
-<input type="hidden" name="filename" value="<%= form.value.filename.value %>">
+<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>">
 <input type="hidden" name="filecontent" value="<%= html.html_escape(form.value.filecontent.value) %>">
 <H2>Save and Apply Above Settings</H2>
 <% displayformend(form) %>
diff --git a/tinydns-html.lsp b/tinydns-html.lsp
index abe7bf1..a135d3b 100644
--- a/tinydns-html.lsp
+++ b/tinydns-html.lsp
@@ -2,7 +2,7 @@
 require("viewfunctions")
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	if form.value.userid then form.value.userid.readonly = true end
diff --git a/tinydns-listfiles-html.lsp b/tinydns-listfiles-html.lsp
index 4286122..14f8419 100644
--- a/tinydns-listfiles-html.lsp
+++ b/tinydns-listfiles-html.lsp
@@ -31,9 +31,9 @@ io.write("</span>")
 			if session.permissions[page_info.controller].editfile then io.write(html.link{value = "editfile?filename=" .. file.value.filename.value.."&redir="..page_info.orig_action, label="Expert " }) end
 			%>
 		</TD>
-		<TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= file.value.filesize.value %></TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= file.value.mtime.value %></TD>
-		<TD style="white-space:nowrap;" width="90%"><%= string.gsub(file.value.filename.value, "^.*/", "") %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= html.html_escape(file.value.filesize.value) %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(file.value.mtime.value) %></TD>
+		<TD style="white-space:nowrap;" width="90%"><%= html.html_escape(string.gsub(file.value.filename.value, "^.*/", "")) %></TD>
 	</TR>
 <% end %>
 </TABLE>
diff --git a/tinydns-listpermissions-html.lsp b/tinydns-listpermissions-html.lsp
index fc80db9..55d09b5 100644
--- a/tinydns-listpermissions-html.lsp
+++ b/tinydns-listpermissions-html.lsp
@@ -6,7 +6,7 @@
 
 <% displaycommandresults({"edituserpermisisons", "editrolepermissions"}, session) %>
 
-<H1><%= view.label %></H1>
+<H1><%= html.html_escape(view.label) %></H1>
 
 <H2>User Permissions</H2>
 <TABLE>
@@ -14,7 +14,7 @@
 <% for i,user in ipairs(view.value.user) do %>
 	<TR><TD><%= html.link{value=page_info.script .. page_info.prefix .. page_info.controller .. "/edituserpermissions?userid=" .. user.id .. "&redir="..page_info.orig_action, label=user.id} %></TD><TD>
 	<% for y,allowed in pairs(user.allowed) do
-		print(allowed, "<BR>")
+		print(html.html_escape(allowed), "<BR>")
 	end %>
 	<TD></TR>
 <% end %>
@@ -26,7 +26,7 @@
 <% for i,role in ipairs(view.value.role) do %>
 	<TR><TD><%= html.link{value=page_info.script .. page_info.prefix .. page_info.controller .. "/editrolepermissions?role=" .. role.id .. "&redir="..page_info.orig_action, label=role.id} %></TD><TD>
 	<% for y,allowed in pairs(role.allowed) do
-		print(allowed, "<BR>")
+		print(html.html_escape(allowed), "<BR>")
 	end %>
 	<TD></TR>
 <% end %>
diff --git a/tinydns-status-html.lsp b/tinydns-status-html.lsp
index 5eafebd..efe77b8 100644
--- a/tinydns-status-html.lsp
+++ b/tinydns-status-html.lsp
@@ -12,14 +12,14 @@ displayitem(data.value.status)
 displayitem(data.value.version)
 if data.value.version and data.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then
 %>
-	<a href="<%= page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name %>">Install</a>
+	<a href="<%= html.html_escape(page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name) %>">Install</a>
 <%
 end
 
 displayitem(data.value.autostart)
 if not (data.value.version and data.value.version.errtxt) and data.value.autostart and data.value.autostart.errtxt and session.permissions.rc and session.permissions.rc.edit then
 %>
-	<a href="<%= page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action %>">Schedule autostart</a>
+	<a href="<%= html.html_escape(page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action) %>">Schedule autostart</a>
 <%
 end
 
diff --git a/tinydns-view-html.lsp b/tinydns-view-html.lsp
index b163ce5..35052ab 100644
--- a/tinydns-view-html.lsp
+++ b/tinydns-view-html.lsp
@@ -51,7 +51,7 @@ io.write("</span>")
 %>
 
 <H1>DNS Entries
-<% if view.filename then io.write(" for "..string.gsub(view.filename, "^.*/", "")) end %>
+<% if view.filename then io.write(" for "..html.html_escape(string.gsub(view.filename, "^.*/", ""))) end %>
 </H1>
 <H2>Locations</H2>
 <DL id="locations">
@@ -63,13 +63,13 @@ for i,loc in ipairs(view.value) do
 			if currentloc ~= "" then %>
 				</ul>
 			<% end %>
-			<li><IMG SRC='/skins/static/tango/16x16/places/start-here.png' width='16' height='16' alt> <B><%= loc[1] %></B></li>
+			<li><IMG SRC='/skins/static/tango/16x16/places/start-here.png' width='16' height='16' alt> <B><%= html.html_escape(loc[1]) %></B></li>
 			<ul STYLE='margin-left:30px';>
 		<% end
 		currentloc = loc[1] %>
-		<li id='filename=<%= loc.filename %>;linenumber=<%= loc.linenumber %>'>
-		<%= loc[2] %><% if loc[2] == "" then io.write('*') end %>
-		<% if (loc.errtxt) then %><P CLASS='error'><%= string.gsub(loc.errtxt, "\n", "<BR>") %></P><% end %>
+		<li id='filename=<%= html.html_escape(loc.filename) %>;linenumber=<%= html.html_escape(loc.linenumber) %>'>
+		<%= html.html_escape(loc[2]) %><% if loc[2] == "" then io.write('*') end %>
+		<% if (loc.errtxt) then %><P CLASS='error'><%= string.gsub(html.html_escape(loc.errtxt), "\n", "<BR>") %></P><% end %>
 		</li>
 	<% end
 end %>
@@ -102,7 +102,7 @@ local function doListIndents(next, indent)
 	end
 	for j=1,starting do
 		io.write("<ul><li STYLE='margin-left:10px;'><strong>")
-		io.write(table.concat(newentry, ".", #newentry-(i+j-2), #newentry))
+		io.write(html.html_escape(table.concat(newentry, ".", #newentry-(i+j-2), #newentry)))
 		io.write("</strong>\n")
 	end
 	return revnewentry
@@ -117,20 +117,20 @@ end
 for j,entry in ipairs(view.value) do 
 	if entry.type ~= '%' then
 		indent = doListIndents(entry[1], indent) %>
-		<ul><li STYLE='margin-left:10px;' id='filename=<%= entry.filename %>;linenumber=<%= entry.linenumber %>'>
-		<IMG SRC='/skins/static/tango/16x16/devices/computer.png' width='16' height='16'><%= entry.label %><BR>
-		<pre><%= entry.configline %></pre>
-		<TABLE STYLE='margin-left:<%= tostring(7-#indent) %>0px;'>
+		<ul><li STYLE='margin-left:10px;' id='filename=<%= html.html_escape(entry.filename) %>;linenumber=<%= html.html_escape(entry.linenumber) %>'>
+		<IMG SRC='/skins/static/tango/16x16/devices/computer.png' width='16' height='16'><%= html.html_escape(entry.label) %><BR>
+		<pre><%= html.html_escape(entry.configline) %></pre>
+		<TABLE STYLE='margin-left:<%= html.html_escape(tostring(7-#indent)) %>0px;'>
 		<% for k=2,#entry do
 			local option = entry[k]
 			if (option) and option ~= "" then %>
-				<TR><TD WIDTH='160px' STYLE='border:none;'><%= view.fieldlabels[entry.type][k] %>:</TD>
-				<TD STYLE='border:none;'><%= option %></TD></TR>
+				<TR><TD WIDTH='160px' STYLE='border:none;'><%= html.html_escape(view.fieldlabels[entry.type][k]) %>:</TD>
+				<TD STYLE='border:none;'><%= html.html_escape(option) %></TD></TR>
 			<% end
 		end %>
 		</TABLE>
 		<% if entry.errtxt then %>
-			<P CLASS='error'><%= string.gsub(entry.errtxt, "\n", "<BR>") %></P>
+			<P CLASS='error'><%= string.gsub(html.html_escape(entry.errtxt), "\n", "<BR>") %></P>
 		<% end %>
 		</li></ul>
 	<% end 
-- 
cgit v1.2.3