From 2131f22bf603d199fae97110c260a70f4cddc643 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Sun, 11 Jun 2006 16:23:44 +0200 Subject: [PATCH] Escape the output to be HTML-safe. This is done using HTML::Entities. --- licom.cgi | 136 ++++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 88 insertions(+), 48 deletions(-) diff --git a/licom.cgi b/licom.cgi index 70e1e72..f96349b 100755 --- a/licom.cgi +++ b/licom.cgi @@ -23,6 +23,7 @@ use lib (qw(lib)); use CGI (':cgi'); use CGI::Carp (qw(fatalsToBrowser)); use URI::Escape; +use HTML::Entities (qw(encode_entities)); use Data::Dumper; use LiCoM::Config (qw(get_config set_config read_config)); @@ -139,8 +140,11 @@ sub action_browse my $group_esc = uri_escape ($group_name); my $desc = $group->description (); - print qq#\t\t\t
  • $group_name ($members Member#, ($members == 1 ? ')' : 's)'); - print qq(
    \n\t\t\t\t$desc) if ($desc); + print qq#\t\t\t
  • #, + encode_entities ($group_name), + qq# ($members Member#, ($members == 1 ? ')' : 's)'); + print qq(
    \n\t\t\t\t), + encode_entities ($desc) . '' if ($desc); print "
  • \n"; } if (!@groups) @@ -226,7 +230,7 @@ EOF { my $field = $_; my @values = $person->get ($field); - print "\t\t\t\t" . join ('
    ', @values) . "\n"; + print "\t\t\t\t" . join ('
    ', map { encode_entities ($_) } (@values)) . "\n"; } print "\t\t\t\n"; @@ -250,22 +254,23 @@ sub action_detail $cn = shift if (@_); die unless ($cn); + my $cn_html = encode_entities ($cn); + my $cn_uri = uri_escape ($cn); + my $person = LiCoM::Person->load ($cn); if (!$person) { - print qq(\t
    Entry "$cn" could not be loaded from DB.
    \n); + print qq(\t
    Entry "$cn_html" could not be loaded from DB.
    \n); return; } - print qq(\t\t

    Details for $cn

    \n); - - my $cn_esc = uri_escape ($cn); + print qq(\t\t

    Details for $cn_html

    \n); print < Name - $cn + $cn_html EOF for (@MultiFields) @@ -273,38 +278,51 @@ EOF my $field = $_; my $values = $person->get ($field); my $num = scalar (@$values); - my $print = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field; + my $field_name = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field; next unless ($num); + $field_name = encode_entities ($field_name); + print "\t\t\t\n"; if ($num > 1) { - print qq(\t\t\t\t$print\n); + print qq(\t\t\t\t$field_name\n); } else { - print qq(\t\t\t\t$print\n); + print qq(\t\t\t\t$field_name\n); } for (my $i = 0; $i < $num; $i++) { my $val = $values->[$i]; + my $val_uri = uri_escape ($val); + my $val_html = encode_entities ($val); if ($field eq 'group') { - my $val_esc = uri_escape ($val); - $val = qq($val); + $val = qq($val_html); } elsif ($field eq 'uri') { - my $uri = $val; - $uri = qq(http://$val) unless ($val =~ m#^[a-z]+://#); - $val = qq($val); + if ($val =~ m#^([a-z]+)://(.+)$#) + { + $val_uri = $1 . '://' . uri_escape ($2); + } + else + { + $val_uri = 'http://' . uri_escape ($val); + } + $val = qq($val_html); } elsif ($field eq 'mail') { - $val = qq($val); + $val = qq($val_html); + } + else + { + $val = $val_html; } print "\t\t\t\n" if ($i); @@ -323,10 +341,11 @@ EOF { my $group = $groups[$i]; my $group_name = $group->name (); - my $group_esc = uri_escape ($group_name); + my $group_uri = uri_escape ($group_name); + my $group_html = encode_entities ($group_name); print "\t\t\t\n" if ($i != 0); - print qq(\t\t\t\t$group_name\n), + print qq(\t\t\t\t$group_html\n), "\t\t\t\n"; } } @@ -335,10 +354,10 @@ EOF EOF @@ -388,9 +407,10 @@ sub action_search { my $person = $_; my $cn = $person->name (); - my $cn_esc = uri_escape ($cn); + my $cn_uri = uri_escape ($cn); + my $cn_html = encode_entities ($cn); - print qq(\t\t
  • $cn
  • \n); + print qq(\t\t
  • $cn_html
  • \n); } print qq(\t\n); } @@ -404,6 +424,8 @@ sub action_edit $cn = $opts{'cn'} if (defined ($opts{'cn'})); $cn ||= ''; + my $cn_html = encode_entities ($cn); + if (!$UserID) { $cn = $UserCN; @@ -451,7 +473,7 @@ sub action_edit if ($cn) { - print "\t\t

    Edit contact $cn

    \n"; + print "\t\t

    Edit contact $cn_html

    \n"; } else { @@ -461,7 +483,7 @@ sub action_edit print < - + @@ -499,10 +521,13 @@ EOF next if ($field eq 'group'); push (@values, ''); + + $field = encode_entities ($field); + $print = encode_entities ($print); for (@values) { - my $value = $_; + my $value = encode_entities ($_); print < @@ -526,7 +551,7 @@ EOF for (@all_groups) { my $group = $_; - my $group_name = $group->name (); + my $group_name = encode_entities ($group->name ()); my $selected = ''; if (grep { $cn eq $_ } ($group->get_members ())) @@ -626,7 +651,8 @@ sub action_save } else { - print qq(\t
    Group "$group_name" does not exist or could not be loaded.
    \n); + my $group_html = encode_entities ($group_name); + print qq(\t
    Group "$group_html" does not exist or could not be loaded.
    \n); } } @@ -672,7 +698,10 @@ sub action_update $person->firstname ($firstname) if ($firstname and $firstname ne $person->firstname ()); $cn = $person->name (); - # FIXME Fix groups + # FIXME Fix groups: + # Each group is one entry of type (objectClass=groupOfNames) + # with one or more `member' attributes. These attributes are + # the `dn' (distinguished name) of the member entries. } my $contacts = get_contacts (); @@ -793,6 +822,8 @@ sub action_verify $cn = shift if (@_); die unless ($cn); + my $cn_html = encode_entities ($cn); + my $person = LiCoM::Person->load ($cn); die unless ($person); @@ -800,21 +831,24 @@ sub action_verify $mail ||= ''; my $message; - my $password = $person->get ('password'); + my ($password) = $person->get ('password'); + my $password_html; if (!$password) { $password = pwgen (); - $person->set ('password', $password); + $person->set ('password', [$password]); } + $password_html = encode_entities ($password); - $message = qq(The password for the record "$cn" is "$password".); + $message = qq(The password for the record "$cn_html" is "$password_html".); if ($mail) { if (action_verify_send_mail ($person)) { - $message .= qq( A request for verification has been sent to $mail.); + my $mail_html = encode_entities ($mail); + $message .= qq( A request for verification has been sent to $mail_html.); } } else @@ -836,8 +870,8 @@ sub action_verify_send_mail my ($owner_mail) = $owner->get ('mail'); if (!$owner_mail) { - my $cn = uri_escape ($UserCN); - print qq(\t\t
    You have no email set in your own profile. Edit it now!
    \n); + my $cn_uri = uri_escape ($UserCN); + print qq(\t\t
    You have no email set in your own profile. Edit it now!
    \n); return (0); } @@ -848,15 +882,15 @@ sub action_verify_send_mail } $max_width++; - my $person_name = $person->name (); + my $person_name = $person->name (); my ($person_mail) = $person->get ('mail'); - my $person_gn = $person->firstname (); - my $password = $person->get ('password'); + my $person_gn = $person->firstname (); + my ($password) = $person->get ('password'); my $host = $ENV{'HTTP_HOST'}; my $url = (defined ($ENV{'HTTPS'}) ? 'https://' : 'http://') . $host . $MySelf; - open ($smh, "| /usr/sbin/sendmail -t -f $owner_mail") or die ("open pipe to sendmail: $!"); + open ($smh, '|-', '/usr/sbin/sendmail', '-t', '-f', $owner_mail) or die ("open (sendmail): $!"); print $smh < From: $UserCN <$owner_mail> @@ -905,19 +939,20 @@ sub action_ask_del my $person = LiCoM::Person->load ($cn); $person or die; - my $cn_esc = uri_escape ($cn); + my $cn_uri = uri_escape ($cn); + my $cn_html = encode_entities ($cn); print <Really delete $cn? +

    Really delete $cn_html?

    - You are about to delete $cn. Are you - totally, absolutely sure you want to do this? + You are about to delete $cn_html. + Are you totally, absolutely sure you want to do this?
    EOF @@ -928,13 +963,15 @@ sub action_do_del my $cn = param ('cn'); $cn or die; + my $cn_html = encode_entities ($cn); + my $person = LiCoM::Person->load ($cn); $person or die; $person->delete (); print <$cn has been deleted. +
    $cn_html has been deleted.
    EOF action_browse (); @@ -945,6 +982,8 @@ sub html_start my $title = shift; $title = q(Lightweight Contact Manager) unless ($title); + $title = encode_entities ($title); + print <
    -- 2.11.0
    Lastname