diff options
| -rw-r--r-- | app/acf-util/logon-html.lsp | 2 | ||||
| -rw-r--r-- | app/acf-util/logon-logout-html.lsp | 2 | ||||
| -rw-r--r-- | app/acf-util/logon-status-html.lsp | 4 | ||||
| -rwxr-xr-x | app/acf-util/password-html.lsp | 2 | ||||
| -rwxr-xr-x | app/acf-util/password-status-html.lsp | 22 | ||||
| -rw-r--r-- | app/acf-util/roles-editrole-html.lsp | 12 | ||||
| -rw-r--r-- | app/acf-util/roles-html.lsp | 16 | ||||
| -rw-r--r-- | app/acf-util/roles-viewroles-html.lsp | 18 | ||||
| -rw-r--r-- | app/dispatcherror-html.lsp | 2 | ||||
| -rw-r--r-- | app/exception-html.lsp | 2 | ||||
| -rw-r--r-- | app/filedetails-html.lsp | 6 | ||||
| -rw-r--r-- | app/form-html.lsp | 2 | ||||
| -rw-r--r-- | app/startstop-html.lsp | 6 | ||||
| -rw-r--r-- | app/status-html.lsp | 4 | ||||
| -rw-r--r-- | app/template-html.lsp | 24 | ||||
| -rw-r--r-- | lib/html.lua | 32 | ||||
| -rw-r--r-- | lib/viewfunctions.lua | 33 |
17 files changed, 96 insertions, 93 deletions
diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp index f6137cf..643ab86 100644 --- a/app/acf-util/logon-html.lsp +++ b/app/acf-util/logon-html.lsp @@ -4,7 +4,7 @@ io.write(html.cfe_unpack(form)) --]] %> -<h1><%= form.label %></h1> +<h1><%= html.html_escape(form.label) %></h1> <% form.value.password.type = "password" form.value.redir.type = "hidden" diff --git a/app/acf-util/logon-logout-html.lsp b/app/acf-util/logon-logout-html.lsp index a658ea9..b7b72f4 100644 --- a/app/acf-util/logon-logout-html.lsp +++ b/app/acf-util/logon-logout-html.lsp @@ -3,4 +3,4 @@ <%= html.cfe_unpack(view) %> -<%= view.logout.value %> +<%= html.html_escape(view.logout.value) %> diff --git a/app/acf-util/logon-status-html.lsp b/app/acf-util/logon-status-html.lsp index 5fb70c9..753248f 100644 --- a/app/acf-util/logon-status-html.lsp +++ b/app/acf-util/logon-status-html.lsp @@ -4,5 +4,5 @@ --]] %> <h1>User Status </h1> <p> Below is your current Session id <p> -<%= view.value.sessionid.value %> -<p>You are currently known to the system as <%= view.value.username.value %>.</p> +<%= html.html_escape(view.value.sessionid.value) %> +<p>You are currently known to the system as <%= html.html_escape(view.value.username.value) %>.</p> diff --git a/app/acf-util/password-html.lsp b/app/acf-util/password-html.lsp index faf8e44..7de8f88 100755 --- a/app/acf-util/password-html.lsp +++ b/app/acf-util/password-html.lsp @@ -9,7 +9,7 @@ io.write("</span>") --]] %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% if form.value.password and form.value.password_confirm then form.value.password.type = "password" diff --git a/app/acf-util/password-status-html.lsp b/app/acf-util/password-status-html.lsp index d7db4e9..714dfae 100755 --- a/app/acf-util/password-status-html.lsp +++ b/app/acf-util/password-status-html.lsp @@ -13,29 +13,29 @@ io.write("</span>") <H1>User Accounts</H1> <H2>Create new account</H2> <form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newuser" method="POST"> -<input class="hidden" type="hidden" name="redir" value="<%= page_info.orig_action %>" > +<input class="hidden" type="hidden" name="redir" value="<%= html.html_escape(page_info.orig_action) %>" > <dl><dt></dt><dd><input class="submit" type="submit" value="New User"></dd></dl> </form> <H2>Existing account</H2> <DL> <% for name,user in pairs(form.value) do %> - <DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= name %></DT> + <DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= html.html_escape(name) %></DT> <DD><TABLE> <TR> - <TD STYLE='border:none;'><B><%= user.value.userid.label %></B></TD> - <TD STYLE='border:none;' WIDTH='90%'><%= user.value.userid.value %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.userid.label) %></B></TD> + <TD STYLE='border:none;' WIDTH='90%'><%= html.html_escape(user.value.userid.value) %></TD> </TR><TR> - <TD STYLE='border:none;'><B><%= user.value.username.label %></B></TD> - <TD STYLE='border:none;'><%= user.value.username.value %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.username.label) %></B></TD> + <TD STYLE='border:none;'><%= html.html_escape(user.value.username.value) %></TD> </TR><TR> - <TD STYLE='border:none;'><B><%= user.value.roles.label %></B></TD> - <TD STYLE='border:none;'><%= table.concat(user.value.roles.value, " / ") %></TD> + <TD STYLE='border:none;'><B><%= html.html_escape(user.value.roles.label) %></B></TD> + <TD STYLE='border:none;'><%= html.html_escape(table.concat(user.value.roles.value, " / ")) %></TD> </TR><TR> <TD STYLE='border:none;'><B>Option</B></TD> <TD STYLE='border:none;'> - [<A HREF='edituser?userid=<%= name %>&redir=<%= page_info.orig_action %>'>Edit this account</A>] - [<A HREF='deleteuser?userid=<%= name %>'>Delete this account</A>] - [<A HREF='<%= page_info.script %>/acf-util/roles/viewuserroles?userid=<%= name %>'>View roles for this account</A>] + [<A HREF='edituser?userid=<%= html.html_escape(name) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this account</A>] + [<A HREF='deleteuser?userid=<%= html.html_escape(name) %>'>Delete this account</A>] + [<A HREF='<%= html.html_escape(page_info.script) %>/acf-util/roles/viewuserroles?userid=<%= html.html_escape(name) %>'>View roles for this account</A>] </TD> </TR> </TABLE></DD> diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp index 1997a97..f243ecb 100644 --- a/app/acf-util/roles-editrole-html.lsp +++ b/app/acf-util/roles-editrole-html.lsp @@ -5,7 +5,7 @@ io.write(html.cfe_unpack(form)) --]] %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% displayformstart(form, page_info) -- If editing existing role, disable role @@ -23,7 +23,7 @@ myitem.class = "error" io.write(' class="error"') end - io.write(">" .. myitem.label .. "</DT>\n") + io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n") io.write("<DD>") -- FIXME multiple select doesn't work in haserl, so use series of checkboxes myitem.class = nil @@ -44,7 +44,7 @@ myitem.checked = reverseval[val] if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end myitem.name = tempname .. "." .. x - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end -- Check for values not in options if myitem.errtxt then @@ -55,7 +55,7 @@ if not reverseopt[val] then myitem.value = val myitem.checked = true - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end end if myitem.errtxt then @@ -64,8 +64,8 @@ myitem.name = tempname myitem.value = tempval - if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end - if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end + if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end + if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end io.write("</DD>\n") io.write("</DL>\n") diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp index 16e4747..d61e60a 100644 --- a/app/acf-util/roles-html.lsp +++ b/app/acf-util/roles-html.lsp @@ -5,17 +5,17 @@ <% ---[[ %> <% if view.value.userid then %> - <H1>Roles/Permission list for <%= view.value.userid.value %>:</H1> + <H1>Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:</H1> <% elseif view.value.role then %> - <H1>Permission list for <%= view.value.role.value %>:</H1> + <H1>Permission list for <%= html.html_escape(view.value.role.value) %>:</H1> <% else %> <H1>Complete permission list:</H1> <% end %> <% if view.value.roles then %> - <H2><%= view.value.userid.value %> is valid in these roles</H2> + <H2><%= html.html_escape(view.value.userid.value) %> is valid in these roles</H2> <% for a,b in pairs(view.value.roles.value) do - print("<li>",b,"</li>") + print("<li>",html.html_escape(b),"</li>") end %> <% end %> <% --]] %> @@ -23,9 +23,9 @@ <% ---[[ %> <% if view.value.permissions then %> <% if view.value.userid then %> - <H2><%= view.value.userid.value %>'s full permissions are</H2> + <H2><%= html.html_escape(view.value.userid.value) %>'s full permissions are</H2> <% elseif view.value.role then %> - <H2><%= view.value.role.value %>'s full permissions are</H2> + <H2><%= html.html_escape(view.value.role.value) %>'s full permissions are</H2> <% end %> <% local controllers = {} -- It's nice to have it in alphabetical order @@ -36,7 +36,7 @@ io.write("<TABLE>") io.write("<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD>") for x,cont in ipairs(controllers) do - print("<TR><TD STYLE='font-weight:bold;'>",cont,"</TD><TD>") + print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(cont),"</TD><TD>") -- Again, alphabetical order local actions = {} for act in pairs(view.value.permissions.value[cont]) do @@ -44,7 +44,7 @@ end table.sort(actions) for y,act in pairs(actions) do - print(act) + print(html.html_escape(act)) end io.write("<TD></TR>") end diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp index 0334499..46fdfc2 100644 --- a/app/acf-util/roles-viewroles-html.lsp +++ b/app/acf-util/roles-viewroles-html.lsp @@ -9,8 +9,8 @@ <H1>Roles</H1> <H2>Create new role</H2> -<form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newrole" method="POST"> -<input class="hidden" type="hidden" name="redir" value="<%= page_info.orig_action %>" > +<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller) %>/newrole" method="POST"> +<input class="hidden" type="hidden" name="redir" value="<%= html.html_escape(page_info.orig_action) %>" > <dl><dt></dt><dd><input class="submit" type="submit" value="New Role"></dd></dl> </form> @@ -18,10 +18,10 @@ <% if view.value.default_roles then %> <dl> <% for x,role in pairs(view.value.default_roles.value) do %> - <dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= html.html_escape(role) %></dt> <dd> - [<a href='viewroleperms?role=<%= role %>'>View this role</a>] - [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] + [<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>] + [<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>] </dd> <% end %> </dl> @@ -30,11 +30,11 @@ <dl> <% table.sort(view.value.defined_roles.value) %> <% for x,role in pairs(view.value.defined_roles.value) do %> - <dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= html.html_escape(role) %></dt> <dd> - [<a href='viewroleperms?role=<%= role %>'>View this role</a>] - [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] - [<a href='deleterole?role=<%= role %>'>Delete this role</a>] + [<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>] + [<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>] + [<a href='deleterole?role=<%= html.html_escape(role) %>'>Delete this role</a>] </dd> <% end %> </dl> diff --git a/app/dispatcherror-html.lsp b/app/dispatcherror-html.lsp index ce6b5c8..82f873f 100644 --- a/app/dispatcherror-html.lsp +++ b/app/dispatcherror-html.lsp @@ -27,4 +27,4 @@ <h1>Alpine Configuration Framework</h1> <p class="errordetail">Dispatch error occured</p> -<p class="hiddendetail">'<%= view.controller %>' does not have a '<%= view.action %>' action.</p> +<p class="hiddendetail">'<%= html.html_escapt(view.controller) %>' does not have a '<%= html.html_escape(view.action) %>' action.</p> diff --git a/app/exception-html.lsp b/app/exception-html.lsp index 9b7a441..3bd6621 100644 --- a/app/exception-html.lsp +++ b/app/exception-html.lsp @@ -27,4 +27,4 @@ <h1>Alpine Configuration Framework</h1> <p class="errordetail">Application error occured</p> -<p class="hiddendetail"><%= view.message %></p> +<p class="hiddendetail"><%= html.html_escape(view.message) %></p> diff --git a/app/filedetails-html.lsp b/app/filedetails-html.lsp index ccf7a0c..59d0cdd 100644 --- a/app/filedetails-html.lsp +++ b/app/filedetails-html.lsp @@ -20,13 +20,13 @@ displayitem(form.value.mtime) <% if form.type == "form" then %> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %> <% displayformstart(form) %> -<input type="hidden" name="filename" value="<%= form.value.filename.value %>"> +<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>"> <% end %> <textarea name="filecontent"> <%= html.html_escape(form.value.filecontent.value) %> </textarea> -<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %> -<% if form.value.filecontent.descr then %><P CLASS='descr'><%= string.gsub(form.value.filecontent.descr, "\n", "<BR>") %></P><% end %> +<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %> +<% if form.value.filecontent.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.value.filecontent.descr), "\n", "<BR>") %></P><% end %> <% if form.type == "form" then %> <H3>Save</H3> diff --git a/app/form-html.lsp b/app/form-html.lsp index de09780..cc50d2c 100644 --- a/app/form-html.lsp +++ b/app/form-html.lsp @@ -2,7 +2,7 @@ require("viewfunctions") %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action displayform(form) diff --git a/app/startstop-html.lsp b/app/startstop-html.lsp index cbe4d5f..ab9b8ac 100644 --- a/app/startstop-html.lsp +++ b/app/startstop-html.lsp @@ -2,7 +2,7 @@ <H1>Management</H1> <DL> -<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>" method="POST"> +<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST"> <DT>Program control-panel</DT> <DD> <input class="submit" type="submit" name="action" value="Start" <% if data.value.status.value== "Running" then io.write("disabled") end %>> @@ -15,9 +15,9 @@ <DT>Previous action result</DT> <DD> <% if data.value.result.value ~= "" then %> -<P CLASS='descr'><%= string.gsub(data.value.result.value, "\n", "<BR>") %></P> +<P CLASS='descr'><%= string.gsub(html.html_escape(data.value.result.value), "\n", "<BR>") %></P> <% end if data.value.result.errtxt then %> -<P CLASS='error'><%= string.gsub(data.value.result.errtxt, "\n", "<BR>") %></P> +<P CLASS='error'><%= string.gsub(html.html_escape(data.value.result.errtxt), "\n", "<BR>") %></P> <% end end %> </DD> </DL> diff --git a/app/status-html.lsp b/app/status-html.lsp index f1e4c5c..8bd53db 100644 --- a/app/status-html.lsp +++ b/app/status-html.lsp @@ -12,13 +12,13 @@ displayitem(data.value.status) displayitem(data.value.version) if data.value.version and data.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then %> - <a href="<%= page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name %>">Install</a> + <a href="<%= html.html_escape(page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name) %>">Install</a> <% end displayitem(data.value.autostart) if not (data.value.version and data.value.version.errtxt) and data.value.autostart and data.value.autostart.errtxt and session.permissions.rc and session.permissions.rc.edit then %> - <a href="<%= page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action %>">Schedule autostart</a> + <a href="<%= html.html_escape(page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action) %>">Schedule autostart</a> <% end %> </DL> diff --git a/app/template-html.lsp b/app/template-html.lsp index 4cd4f4d..cf6054b 100644 --- a/app/template-html.lsp +++ b/app/template-html.lsp @@ -22,11 +22,11 @@ if viewlibrary and viewlibrary.dispatch_component then end end %> -<title><%= hostname .. " - " .. pageinfo.controller .. "->" .. pageinfo.action %></title> -<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir %>static/reset.css"> -<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin..".css" %>"> +<title><%= html.html_escape(hostname .. " - " .. pageinfo.controller .. "->" .. pageinfo.action) %></title> +<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir) %>static/reset.css"> +<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin..".css") %>"> <!--[if IE]> -<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin.."-ie.css" %>"> +<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin.."-ie.css") %>"> <![endif]--> </head> <body> @@ -39,7 +39,7 @@ end <div id="logo"> <div class="leader"></div> <h1>AlpineLinux</h1> - <p><%= hostname or "unknown hostname" %></p> + <p><%= html.html_escape(hostname or "unknown hostname") %></p> <div class="tailer"></div> </div> <span class="mute"> @@ -47,9 +47,9 @@ end <% local ctlr = pageinfo.script .. "/acf-util/logon/" if session.userinfo and session.userinfo.userid then - io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log out as '" .. session.userinfo.userid .. "'</a>\n", ctlr .. "logout" ) ) + io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log out as '" .. html.html_escape(session.userinfo.userid) .. "'</a>\n", html.html_escape(ctlr) .. "logout" ) ) else - io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log in</a>\n", ctlr .. "logon" ) ) + io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log in</a>\n", html.html_escape(ctlr) .. "logon" ) ) end %> | <a href="/">home</a> | @@ -72,7 +72,7 @@ end local tabs io.write ( "<ul>") for x,cat in ipairs(session.menu.cats) do - io.write (string.format("\n\t\t\t\t<li>%s\n\t\t\t\t\t<ul>\n", cat.name)) --start row + io.write (string.format("\n\t\t\t\t<li>%s\n\t\t\t\t\t<ul>\n", html.html_escape(cat.name))) --start row for y,group in ipairs(cat.groups) do if pageinfo.prefix == group.prefix .. '/' and pageinfo.controller == group.controller then class="class='selected'" @@ -81,7 +81,7 @@ end class="" end io.write (string.format("\t\t\t\t\t\t<li %s><a href=\"%s%s/%s/%s\">%s</a></li>\n", - class,pageinfo.script,group.prefix, group.controller, group.tabs[1].action, group.name )) + html.html_escape(class),html.html_escape(pageinfo.script),html.html_escape(group.prefix), html.html_escape(group.controller), html.html_escape(group.tabs[1].action), html.html_escape(group.name) )) end io.write ( "\t\t\t\t\t</ul>" ) end @@ -96,7 +96,7 @@ end <div id="postnav"> <div class="leader"> </div> - <h2><%= pageinfo.controller %> : <%= pageinfo.action %></h2> + <h2><%= html.html_escape(pageinfo.controller) %> : <%= html.html_escape(pageinfo.action) %></h2> <!-- FIXME: Next row is 'dead' data! Remove 'class=hide' when done! --> <p class='hide'>[ welcome ] > [ login ] > [ bgp ] > [ firewall ] > [ content filter ] > [ interfaces ]</p> <div class="tailer"> @@ -119,7 +119,7 @@ end class="" end io.write (string.format('<li %s><a %s href="%s">%s</a></li>\n', - class,class,tab.action,tab.name )) + html.html_escape(class),html.html_escape(class),html.html_escape(tab.action),html.html_escape(tab.name) )) end %> </ul> @@ -144,7 +144,7 @@ end <div id="footer"> <div class="leader"> </div> - <p>Page generated in <%= os.clock() %> seconds on <%= os.date() %>.</p> + <p>Page generated in <%= html.html_escape(os.clock()) %> seconds on <%= html.html_escape(os.date()) %>.</p> <div class="tailer"> </div> </div> <!-- footer --> diff --git a/lib/html.lua b/lib/html.lua index 96bf4ad..4dac45f 100644 --- a/lib/html.lua +++ b/lib/html.lua @@ -22,8 +22,8 @@ cookie.set = function ( name, value, path ) if path == nil then path = "/" end - return (string.format('Set-Cookie: %s=%s; path=%s; %s\n', tostring(name), - tostring(value), path, expires)) + return (string.format('Set-Cookie: %s=%s; path=%s; %s\n', html_escape(tostring(name)), + html_escape(tostring(value)), html_escape(path), html_escape(expires))) end @@ -39,7 +39,9 @@ function html_escape (text ) text = text or "" local str = string.gsub (text, "&", "&" ) str = string.gsub (str, "<", "<" ) - return string.gsub (str, ">", ">" ) + str = string.gsub (str, ">", ">" ) + str = string.gsub (str, "'", "'" ) + return string.gsub (str, '"', """ ) end -- return a name,value pair as a string. @@ -55,7 +57,7 @@ local nv_pair = function ( name, value) if ( value == nil ) then return ( "" ) else - return (string.format (' %s="%s" ', name , ( value or "" ) )) + return (string.format (' %s="%s" ', html_escape(name) , html_escape(value) )) end end @@ -87,7 +89,7 @@ local generic_input = function ( field_type, v ) return nil end - local str = string.format ( '<input class="%s" type="%s" ', field_type,field_type ) + local str = string.format ( '<input class="%s" type="%s" ', html_escape(field_type), html_escape(field_type) ) for i,k in ipairs ( { "name", "size", "checked", "maxlength", @@ -125,7 +127,7 @@ form.longtext = function ( v ) str = str .. nv_pair ( k, v[k] ) end str = str .. nv_pair (nil, v.disabled) - return ( str .. ">" .. (v.value or "" ) .. "</textarea>" ) + return ( str .. ">" .. html_escape(v.value) .. "</textarea>" ) end @@ -201,10 +203,10 @@ function form.select ( v ) str = str .. " selected" selected = true end - str = str .. nv_pair("value", val) .. ">" .. k .. "</option>" + str = str .. nv_pair("value", val) .. ">" .. html_escape(val) .. "</option>" end if not selected then - str = str .. '<option selected value="' .. v.value ..'">[' .. v.value .. ']</option>' + str = str .. '<option selected value="' .. html_escape(v.value) ..'">[' .. html_escape(v.value) .. ']</option>' end str = str .. "</select>" return (str) @@ -224,9 +226,9 @@ function form.start ( v) local method = v.method or "get" return ( string.format ( '<form %s%s%s>', - nv_pair ( "class", v.class ), - nv_pair ( "method", v.method), - nv_pair ( "action", v.action ) + nv_pair ( "class", html_escape(v.class) ), + nv_pair ( "method", html_escape(v.method) ), + nv_pair ( "action", html_escape(v.action) ) ) ) end @@ -240,9 +242,9 @@ end function entity (tag, text, class, id) return ( string.format ( "<%s%s%s>%s</%s>", - tag, + html_escape(tag), nv_pair ("class", class), - nv_pair("id", id), text , tag) + nv_pair("id", id), html_escape(text), html_escape(tag)) ) end @@ -256,7 +258,7 @@ function link ( v ) str = str .. nv_pair ( k, v[k] ) end - return ( "<a " .. str .. ">" .. (v.label or "" ) .. "</a>" ) + return ( "<a " .. str .. ">" .. html_escape(v.label) .. "</a>" ) end @@ -265,7 +267,7 @@ end function cfe_unpack ( a ) if type(a) == "table" then value = session.serialize("cfe", a) - value = "<pre>" .. value .. "</pre>" + value = "<pre>" .. html_escape(value) .. "</pre>" return value end diff --git a/lib/viewfunctions.lua b/lib/viewfunctions.lua index 139b6f6..f1c5436 100644 --- a/lib/viewfunctions.lua +++ b/lib/viewfunctions.lua @@ -1,3 +1,4 @@ +require("html") function displayinfo(myform,tags,viewtype) for k,v in pairs(tags) do @@ -91,11 +92,11 @@ function displayitem(myitem) myitem.class = "error" io.write(" class='error'") end - io.write(">" .. myitem.label .. "</DT>\n") + io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n") io.write("<DD>") - io.write(string.gsub(tostring(myitem.value), "\n", "<BR>") .. "\n") - if myitem.descr then io.write("<P CLASS='descr'>" .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end - if myitem.errtxt then io.write("<P CLASS='error'>" .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end + io.write(string.gsub(html.html_escape(tostring(myitem.value)), "\n", "<BR>") .. "\n") + if myitem.descr then io.write("<P CLASS='descr'>" .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end + if myitem.errtxt then io.write("<P CLASS='error'>" .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end io.write("</DD>\n") end @@ -108,7 +109,7 @@ function displayformitem(myitem, name, viewtype) myitem.class = "error" io.write(' class="error"') end - io.write(">" .. myitem.label .. "</DT>\n") + io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n") io.write("<DD>\n") end if (viewtype == "viewonly") then @@ -131,7 +132,7 @@ function displayformitem(myitem, name, viewtype) myitem.value = val myitem.checked = reverseval[val] myitem.name = tempname .. "." .. x - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end -- Check for values not in options if myitem.errtxt then @@ -142,7 +143,7 @@ function displayformitem(myitem, name, viewtype) if not reverseopt[val] then myitem.value = val myitem.checked = true - io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n") end end if myitem.errtxt then @@ -161,8 +162,8 @@ function displayformitem(myitem, name, viewtype) io.write((html.form[myitem.type](myitem) or "") .. "\n") end if myitem.type ~= "hidden" then - if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end - if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end + if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end + if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end io.write("</DD>\n") end end @@ -172,9 +173,9 @@ function displayformstart(myform, page_info) if not myform.action and page_info then myform.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action end - if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(myform.descr, "\n", "<BR>") .. "</P>\n") end - if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(myform.errtxt, "\n", "<BR>") .. "</P>\n") end - io.write('<form action="' .. (myform.action or "") .. '" method="POST">\n') + if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myform.descr), "\n", "<BR>") .. "</P>\n") end + if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myform.errtxt), "\n", "<BR>") .. "</P>\n") end + io.write('<form action="' .. html.html_escape(myform.action) .. '" method="POST">\n') if myform.value.redir then displayformitem(myform.value.redir, "redir") end @@ -221,7 +222,7 @@ end function displayformend(myform) if not myform then return end io.write('<DL>\n') - io.write('<DT></DT><DD><input class="submit" type="submit" name="' .. myform.option .. '" value="' .. (myform.submit or myform.option) .. '"></DD>\n') + io.write('<DT></DT><DD><input class="submit" type="submit" name="' .. html.html_escape(myform.option) .. '" value="' .. html.html_escape(myform.submit or myform.option) .. '"></DD>\n') io.write('</DL>\n') io.write('</FORM>') end @@ -239,9 +240,9 @@ function displaycommandresults(commands, session, preserveerrors) if #cmdresult > 0 then io.write("<H1>Command Result</H1>\n<DL>\n") for i,result in ipairs(cmdresult) do - if type(result.value) == "string" and result.value ~= "" then io.write(result.value:gsub("\n", "<BR>") .. "\n") end - if result.descr then io.write('<P CLASS="descr">' .. string.gsub(result.descr, "\n", "<BR>") .. "</P>\n") end - if result.errtxt then io.write('<P CLASS="error">' .. string.gsub(result.errtxt, "\n", "<BR>") .. "</P>\n") end + if type(result.value) == "string" and result.value ~= "" then io.write(string.gsub(html.html_escape(result.value), "\n", "<BR>") .. "\n") end + if result.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(result.descr), "\n", "<BR>") .. "</P>\n") end + if result.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(result.errtxt), "\n", "<BR>") .. "</P>\n") end end io.write("</DL>\n") end |