projects / licom.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 471ebca)
Escape the output to be HTML-safe.
authorFlorian Forster <octo@leeloo.(none)>
Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
committerFlorian Forster <octo@leeloo.(none)>
Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
This is done using HTML::Entities.

licom.cgi patch | blob | history

diff --git a/licom.cgi b/licom.cgi
index 70e1e72..f96349b 100755 (executable)
--- a/licom.cgi
+++ b/licom.cgi
@@ -23,6 +23,7 @@ use lib (qw(lib));
 use CGI (':cgi');
 use CGI::Carp (qw(fatalsToBrowser));
 use URI::Escape;
+use HTML::Entities (qw(encode_entities));
 use Data::Dumper;
 
 use LiCoM::Config (qw(get_config set_config read_config));
@@ -139,8 +140,11 @@ sub action_browse
                        my $group_esc  = uri_escape ($group_name);
                        my $desc = $group->description ();
 
-                       print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_esc">$group_name</a> ($members Member#, ($members == 1 ? ')' : 's)');
-                       print qq(<br />\n\t\t\t\t<span class="description">$desc</span>) if ($desc);
+                       print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_esc">#,
+                       encode_entities ($group_name),
+                       qq#</a> ($members Member#, ($members == 1 ? ')' : 's)');
+                       print qq(<br />\n\t\t\t\t<span class="description">),
+                       encode_entities ($desc) . '</span>' if ($desc);
                        print "</li>\n";
                }
                if (!@groups)
@@ -226,7 +230,7 @@ EOF
                {
                        my $field = $_;
                        my @values = $person->get ($field);
-                       print "\t\t\t\t<td>" . join ('<br />', @values) . "</td>\n";
+                       print "\t\t\t\t<td>" . join ('<br />', map { encode_entities ($_) } (@values)) . "</td>\n";
                }
 
                print "\t\t\t</tr>\n";
@@ -250,22 +254,23 @@ sub action_detail
        $cn = shift if (@_);
        die unless ($cn);
 
+       my $cn_html = encode_entities ($cn);
+       my $cn_uri  = uri_escape ($cn);
+
        my $person = LiCoM::Person->load ($cn);
        if (!$person)
        {
-               print qq(\t<div>Entry &quot;$cn&quot; could not be loaded from DB.</div>\n);
+               print qq(\t<div>Entry &quot;$cn_html&quot; could not be loaded from DB.</div>\n);
                return;
        }
 
-       print qq(\t\t<h2>Details for $cn</h2>\n);
-
-       my $cn_esc = uri_escape ($cn);
+       print qq(\t\t<h2>Details for $cn_html</h2>\n);
 
        print <<EOF;
                <table class="detail">
                        <tr>
                                <th>Name</th>
-                               <td>$cn</td>
+                               <td>$cn_html</td>
                        </tr>
 EOF
        for (@MultiFields)
@@ -273,38 +278,51 @@ EOF
                my $field = $_;
                my $values = $person->get ($field);
                my $num = scalar (@$values);
-               my $print = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
+               my $field_name = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
 
                next unless ($num);
 
+               $field_name = encode_entities ($field_name);
+
                print "\t\t\t<tr>\n";
                if ($num > 1)
                {
-                       print qq(\t\t\t\t<th rowspan="$num">$print</th>\n);
+                       print qq(\t\t\t\t<th rowspan="$num">$field_name</th>\n);
                }
                else
                {
-                       print qq(\t\t\t\t<th>$print</th>\n);
+                       print qq(\t\t\t\t<th>$field_name</th>\n);
                }
 
                for (my $i = 0; $i < $num; $i++)
                {
                        my $val = $values->[$i];
+                       my $val_uri  = uri_escape ($val);
+                       my $val_html = encode_entities ($val);
 
                        if ($field eq 'group')
                        {
-                               my $val_esc = uri_escape ($val);
-                               $val = qq(<a href="$MySelf?action=browse&group=$val_esc">$val</a>);
+                               $val = qq(<a href="$MySelf?action=browse&group=$val_uri">$val_html</a>);
                        }
                        elsif ($field eq 'uri')
                        {
-                               my $uri = $val;
-                               $uri = qq(http://$val) unless ($val =~ m#^[a-z]+://#);
-                               $val = qq(<a href="$uri" class="extern">$val</a>);
+                               if ($val =~ m#^([a-z]+)://(.+)$#)
+                               {
+                                       $val_uri = $1 . '://' . uri_escape ($2);
+                               }
+                               else
+                               {
+                                       $val_uri = 'http://' . uri_escape ($val);
+                               }
+                               $val = qq(<a href="$val_uri" class="extern">$val_html</a>);
                        }
                        elsif ($field eq 'mail')
                        {
-                               $val = qq(<a href="mailto:$val" class="mail">$val</a>);
+                               $val = qq(<a href="mailto:$val_uri" class="mail">$val_html</a>);
+                       }
+                       else
+                       {
+                               $val = $val_html;
                        }
                        
                        print "\t\t\t<tr>\n" if ($i);
@@ -323,10 +341,11 @@ EOF
                {
                        my $group = $groups[$i];
                        my $group_name = $group->name ();
-                       my $group_esc = uri_escape ($group_name);
+                       my $group_uri  = uri_escape ($group_name);
+                       my $group_html = encode_entities ($group_name);
 
                        print "\t\t\t<tr>\n" if ($i != 0);
-                       print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_esc">$group_name</a></td>\n),
+                       print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_uri">$group_html</a></td>\n),
                        "\t\t\t</tr>\n";
                }
        }
@@ -335,10 +354,10 @@ EOF
                </table>
 
                <div class="menu">
-                       [<a href="$MySelf?action=verify&cn=$cn_esc">Verify</a>]
-                       [<a href="$MySelf?action=vcard&cn=$cn_esc">vCard</a>]
-                       [<a href="$MySelf?action=edit&cn=$cn_esc">Edit</a>]
-                       [<a href="$MySelf?action=delete&cn=$cn_esc">Delete</a>]
+                       [<a href="$MySelf?action=verify&cn=$cn_uri">Verify</a>]
+                       [<a href="$MySelf?action=vcard&cn=$cn_uri">vCard</a>]
+                       [<a href="$MySelf?action=edit&cn=$cn_uri">Edit</a>]
+                       [<a href="$MySelf?action=delete&cn=$cn_uri">Delete</a>]
                </div>
 
 EOF
@@ -388,9 +407,10 @@ sub action_search
        {
                my $person = $_;
                my $cn = $person->name ();
-               my $cn_esc = uri_escape ($cn);
+               my $cn_uri  = uri_escape ($cn);
+               my $cn_html = encode_entities ($cn);
 
-               print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_esc">$cn</a></li>\n);
+               print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_uri">$cn_html</a></li>\n);
        }
        print qq(\t</ul>\n);
 }
@@ -404,6 +424,8 @@ sub action_edit
        $cn = $opts{'cn'} if (defined ($opts{'cn'}));
        $cn ||= '';
 
+       my $cn_html = encode_entities ($cn);
+
        if (!$UserID)
        {
                $cn = $UserCN;
@@ -451,7 +473,7 @@ sub action_edit
 
        if ($cn)
        {
-               print "\t\t<h2>Edit contact $cn</h2>\n";
+               print "\t\t<h2>Edit contact $cn_html</h2>\n";
        }
        else
        {
@@ -461,7 +483,7 @@ sub action_edit
        print <<EOF;
                <form action="$MySelf" method="post">
                <input type="hidden" name="action" value="save" />
-               <input type="hidden" name="cn" value="$cn" />
+               <input type="hidden" name="cn" value="$cn_html" />
                <table class="edit">
                        <tr>
                                <th>Lastname</th>
@@ -499,10 +521,13 @@ EOF
                next if ($field eq 'group');
 
                push (@values, '');
+
+               $field = encode_entities ($field);
+               $print = encode_entities ($print);
                
                for (@values)
                {
-                       my $value = $_;
+                       my $value = encode_entities ($_);
 
                        print <<EOF;
                        <tr>
@@ -526,7 +551,7 @@ EOF
                        for (@all_groups)
                        {
                                my $group = $_;
-                               my $group_name = $group->name ();
+                               my $group_name = encode_entities ($group->name ());
                                my $selected = '';
 
                                if (grep { $cn eq $_ } ($group->get_members ()))
@@ -626,7 +651,8 @@ sub action_save
                }
                else
                {
-                       print qq(\t<div class="error">Group &quot;$group_name&quot; does not exist or could not be loaded.</div>\n);
+                       my $group_html = encode_entities ($group_name);
+                       print qq(\t<div class="error">Group &quot;$group_html&quot; does not exist or could not be loaded.</div>\n);
                }
        }
 
@@ -672,7 +698,10 @@ sub action_update
                $person->firstname ($firstname) if ($firstname and $firstname ne $person->firstname ());
 
                $cn = $person->name ();
-               # FIXME Fix groups
+               # FIXME Fix groups:
+               # Each group is one entry of type (objectClass=groupOfNames)
+               # with one or more `member' attributes. These attributes are
+               # the `dn' (distinguished name) of the member entries.
        }
 
        my $contacts = get_contacts ();
@@ -793,6 +822,8 @@ sub action_verify
        $cn = shift if (@_);
        die unless ($cn);
 
+       my $cn_html = encode_entities ($cn);
+
        my $person = LiCoM::Person->load ($cn);
        die unless ($person);
 
@@ -800,21 +831,24 @@ sub action_verify
        $mail ||= '';
 
        my $message;
-       my $password = $person->get ('password');
+       my ($password) = $person->get ('password');
+       my $password_html;
 
        if (!$password)
        {
                $password = pwgen ();
-               $person->set ('password', $password);
+               $person->set ('password', [$password]);
        }
+       $password_html = encode_entities ($password);
 
-       $message = qq(The password for the record &quot;$cn&quot; is &quot;$password&quot;.);
+       $message = qq(The password for the record &quot;$cn_html&quot; is &quot;$password_html&quot;.);
 
        if ($mail)
        {
                if (action_verify_send_mail ($person))
                {
-                       $message .= qq( A request for verification has been sent to $mail.);
+                       my $mail_html = encode_entities ($mail);
+                       $message .= qq( A request for verification has been sent to $mail_html.);
                }
        }
        else
@@ -836,8 +870,8 @@ sub action_verify_send_mail
        my ($owner_mail) = $owner->get ('mail');
        if (!$owner_mail)
        {
-               my $cn = uri_escape ($UserCN);
-               print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn">Edit it now</a>!</div>\n);
+               my $cn_uri = uri_escape ($UserCN);
+               print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn_uri">Edit it now</a>!</div>\n);
                return (0);
        }
 
@@ -848,15 +882,15 @@ sub action_verify_send_mail
        }
        $max_width++;
 
-       my $person_name = $person->name ();
+       my $person_name   = $person->name ();
        my ($person_mail) = $person->get ('mail');
-       my $person_gn = $person->firstname ();
-       my $password = $person->get ('password');
+       my $person_gn     = $person->firstname ();
+       my ($password)    = $person->get ('password');
 
        my $host = $ENV{'HTTP_HOST'};
        my $url = (defined ($ENV{'HTTPS'}) ? 'https://' : 'http://') . $host . $MySelf;
        
-       open ($smh, "| /usr/sbin/sendmail -t -f $owner_mail") or die ("open pipe to sendmail: $!");
+       open ($smh, '|-', '/usr/sbin/sendmail', '-t', '-f', $owner_mail) or die ("open (sendmail): $!");
        print $smh <<EOM;
 To: $person_name <$person_mail>
 From: $UserCN <$owner_mail>
@@ -905,19 +939,20 @@ sub action_ask_del
        my $person = LiCoM::Person->load ($cn);
        $person or die;
 
-       my $cn_esc = uri_escape ($cn);
+       my $cn_uri  = uri_escape ($cn);
+       my $cn_html = encode_entities ($cn);
 
        print <<EOF;
-               <h2>Really delete $cn?</h2>
+               <h2>Really delete $cn_html?</h2>
 
                <div>
-                       You are about to delete <strong>$cn</strong>. Are you
-                       totally, absolutely sure you want to do this?
+                       You are about to delete <strong>$cn_html</strong>.
+                       Are you totally, absolutely sure you want to do this?
                </div>
 
                <div class="menu">
-                       [<a href="$MySelf?action=expunge&cn=$cn_esc">Yes, delete</a>]
-                       [<a href="$MySelf?action=detail&cn=$cn_esc">No, keep</a>]
+                       [<a href="$MySelf?action=expunge&cn=$cn_uri">Yes, delete</a>]
+                       [<a href="$MySelf?action=detail&cn=$cn_uri">No, keep</a>]
                </div>
 
 EOF
@@ -928,13 +963,15 @@ sub action_do_del
        my $cn = param ('cn');
        $cn or die;
 
+       my $cn_html = encode_entities ($cn);
+
        my $person = LiCoM::Person->load ($cn);
        $person or die;
 
        $person->delete ();
 
        print <<EOF;
-               <div>$cn has been deleted.</div>
+               <div>$cn_html has been deleted.</div>
 
 EOF
        action_browse ();
@@ -945,6 +982,8 @@ sub html_start
        my $title = shift;
        $title = q(Lightweight Contact Manager) unless ($title);
 
+       $title = encode_entities ($title);
+
        print <<EOF;
 Content-Type: text/html; charset=UTF-8
 
@@ -1160,6 +1199,7 @@ EOF
        if ($UserID)
        {
                my $search = param ('search') || '';
+               $search = encode_entities ($search);
                print <<EOF;
                <div class="topmenu">
                        <form action="$MySelf" method="post">
The lightweight contact manager