diff options
author | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2016-04-14 22:44:44 +0200 |
---|---|---|
committer | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2016-04-14 22:44:44 +0200 |
commit | 50e5dbbf4b6fd1593396437ef05d8e6902c0f17c (patch) | |
tree | 6af622965355d6dfe7b9a825ecb78f6d9bc2d2d0 | |
parent | 22d6497150e41d309b990334b8ad593b3917c4dc (diff) |
Bugfix for & in participant names
- Store real string every time
- do sanitization when strings are printed to html
Closes: #16
-rw-r--r-- | poll.rb | 20 | ||||
-rw-r--r-- | pollhead.rb | 10 | ||||
-rw-r--r-- | timepollhead.rb | 2 |
3 files changed, 15 insertions, 17 deletions
@@ -90,18 +90,18 @@ class Poll ret += "<td><span class='edituser'>" ret += "<a title=\"" ret += _("Edit user %{user}...") % {:user => CGI.escapeHTML(participant)} - ret += "\" href=\"?edituser=#{CGI.escapeHTML(CGI.escape(participant))}\">" + ret += "\" href=\"?edituser=#{CGI.escape(participant)}\">" ret += EDIT ret += "</a> | <a title=\"" ret += _("Delete user %{user}...") % {:user => CGI.escapeHTML(participant)} - ret += "\" href=\"?deleteuser&edituser=#{CGI.escapeHTML(CGI.escape(participant))}\">" + ret += "\" href=\"?deleteuser&edituser=#{CGI.escape(participant)}\">" ret += "#{DELETE}</a>" ret += "</span></td>" ret += "<td class='name'>" else ret += "<td class='name' colspan='2'>" end - ret += "<span id=\"#{participant.to_htmlID}\">#{participant}</span>" + ret += "<span id=\"#{participant.to_htmlID}\">#{CGI.escapeHTML(participant)}</span>" ret += "</td>" ret end @@ -417,24 +417,22 @@ FORM maximum ||= 0 name = "Anonymous ##{maximum + 1}" end - htmlname = CGI.escapeHTML(name) action = '' - if @data.delete(CGI.escapeHTML(olduser)) + if @data.delete(olduser) action = "edited" else action = "added" end - @data[htmlname] = {"timestamp" => Time.now } + @data[name] = {"timestamp" => Time.now } @head.columns.each{|column| - @data[htmlname][column] = agreed[column.to_s] + @data[name][column] = agreed[column.to_s] } store "Participant #{name.strip} #{action}" end def delete(name) - htmlname = CGI.escapeHTML(name.strip) - if @data.has_key?(htmlname) - @data.delete(htmlname) + if @data.has_key?(name) + @data.delete(name) store "Participant #{name.strip} deleted" end end @@ -445,7 +443,7 @@ FORM out << self.to_yaml out.chmod(0660) end - VCS.commit(CGI.escapeHTML(comment)) + VCS.commit(comment) end ############################### diff --git a/pollhead.rb b/pollhead.rb index 732f300..ac8d9bd 100644 --- a/pollhead.rb +++ b/pollhead.rb @@ -45,7 +45,7 @@ class PollHead parsedtitle = newtitle.strip if parsedtitle != "" - @data[parsedtitle] = CGI.escapeHTML(cgi["columndescription"].strip) + @data[parsedtitle] = cgi["columndescription"].strip return parsedtitle else return false @@ -61,10 +61,10 @@ SORTSYMBOL ret = "<tr>" ret += "<th colspan='2'><a href='?sort=name'>" + _("Name") + " #{sortsymb(scols,"name")}</a></th>\n" unless showeditbuttons @data.sort.each{|columntitle,columndescription| - ret += "<th title=\"#{columndescription}\"" + ret += "<th title=\"#{CGI.escapeHTML(columndescription)}\"" ret += " id='active' " if activecolumn == columntitle ret += ">" - ret += "<a href=\"?sort=#{CGI.escapeHTML(CGI.escape(columntitle))}\">" unless showeditbuttons + ret += "<a href=\"?sort=#{CGI.escape(columntitle)}\">" unless showeditbuttons ret += "#{CGI.escapeHTML(columntitle)}" ret += "#{sortsymb(scols,columntitle)}</a>" unless showeditbuttons if showeditbuttons @@ -73,7 +73,7 @@ SORTSYMBOL ret += <<EDITDELETE <form method='post' action=''> <div class='editdelete'> - <a class='editcolumn' href="?editcolumn=#{CGI.escapeHTML(CGI.escape(columntitle))}" title="#{editstr}"> + <a class='editcolumn' href="?editcolumn=#{CGI.escape(columntitle)}" title="#{editstr}"> #{EDIT} </a>| <input style='padding:0;margin:0' title='#{deletestr}' class='delete' type='submit' value='#{DELETE}' /> @@ -110,7 +110,7 @@ EDITDELETE <td><input id='columntitle' type='text' value="#{title}" name='new_columnname' /></td> </tr><tr> <td class='label'><label for='columndescription'>#{descriptionstr}:</label></td> - <td><input id='columndescription' type='text' value="#{description}" name='columndescription' /></td> + <td><input id='columndescription' type='text' value="#{CGI.escapeHTML(description.to_s)}" name='columndescription' /></td> </tr><tr> <td></td> <td> diff --git a/timepollhead.rb b/timepollhead.rb index 6341537..da48518 100644 --- a/timepollhead.rb +++ b/timepollhead.rb @@ -157,7 +157,7 @@ SORTSYMBOL ret += "<th class='invisible'></th></tr><tr><th colspan='2'><a href='?sort=name'>" + _("Name") + " #{sortsymb(scols,"name")}</a></th>" @data.sort.each{|date| - ret += "<th><a title=\"#{CGI.escapeHTML(date.to_s)}\" href=\"?sort=#{CGI.escape(CGI.escapeHTML(date.to_s))}\">#{CGI.escapeHTML(date.time_to_s)} #{sortsymb(scols,date.to_s)}</a></th>\n" + ret += "<th><a title=\"#{CGI.escapeHTML(date.to_s)}\" href=\"?sort=#{CGI.escape(date.to_s)}\">#{CGI.escapeHTML(date.time_to_s)} #{sortsymb(scols,date.to_s)}</a></th>\n" } ret += "<th><a href='?'>" + _("Last Edit") + " #{sortsymb(scols,"timestamp")}</a></th>\n</tr>\n" ret |