From 89afd0a64110710c135b558614cdd755a181349b Mon Sep 17 00:00:00 2001
From: Benjamin Kellermann <Benjamin.Kellermann@gmx.de>
Date: Mon, 7 Jan 2019 22:03:42 +0100
Subject: code refactoring: better output encoding

---
 config_sample.rb | 2 +-
 error.cgi        | 7 +------
 maintenance.cgi  | 5 -----
 timepollhead.rb  | 4 ++--
 timestring.rb    | 2 +-
 5 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/config_sample.rb b/config_sample.rb
index 0000e15..833bcab 100644
--- a/config_sample.rb
+++ b/config_sample.rb
@@ -76,7 +76,7 @@
 #}.reverse.collect{|f| f.gsub(/\/data\.yaml$/,'') }.each{|site|
 #	$conf.indexnotice += <<INDEXNOTICE
 #<tr class='participantrow'>
-#	<td class='polls'><a href='./#{CGI.escapeHTML(site).gsub("'","%27")}/'>#{CGI.escapeHTML(site)}</a></td>
+#	<td class='polls'><a href='./#{CGI.escape(site)}/'>#{CGI.escapeHTML(site)}</a></td>
 #	<td class='mtime'>#{File.new(site + "/data.yaml").mtime.strftime('%d.%m, %H:%M')}</td>
 #</tr>
 #INDEXNOTICE
diff --git a/error.cgi b/error.cgi
index 4b4f82f..b71e0c0 100755
--- a/error.cgi
+++ b/error.cgi
@@ -27,11 +27,6 @@ else
 	$d = Dudle.new(:title => _("Error"), :hide_lang_chooser => true, :load_extensions => false)
 end
 
-def urlescape(str)
-	CGI.escapeHTML(CGI.escape(str).gsub("+","%20"))
-end
-
-
 if File.exists?($conf.errorlog)
 	begin
 		a = File.open($conf.errorlog,"r").to_a
@@ -50,7 +45,7 @@ end
 	errormessagebody = _("Hi!\n\nI found a bug in your application at %{urlofsite}.\nI did the following:\n\n<please describe what you did>\n<e.g., I wanted to post a comment to the poll.>\n\nI am using <please state your browser and operating system>\n%{errormessage}\nSincerely,\n") % {:errormessage => errormessage, :urlofsite => $conf.siteurl}
 	subject = _("Bug in Dudle")
 
-	$d << _("An error occurred while executing Dudle.<br/>Please send an error report, including your browser, operating system, and what you did to %{admin}.") % {:admin => "<a href='mailto:#{$conf.bugreportmail}?subject=#{urlescape(subject)}&amp;body=#{urlescape(errormessagebody)}'>#{$conf.bugreportmail}</a>"}
+	$d << _("An error occurred while executing Dudle.<br/>Please send an error report, including your browser, operating system, and what you did to %{admin}.") % {:admin => "<a href='mailto:#{$conf.bugreportmail}?subject=#{CGI.escape(subject)}&amp;body=#{CGI.escape(errormessagebody)}'>#{$conf.bugreportmail}</a>"}
 
 if (errorstr)
 	errorheadstr = _("Please include the following as well:")
diff --git a/maintenance.cgi b/maintenance.cgi
index 3c5d233..a4c4e31 100755
--- a/maintenance.cgi
+++ b/maintenance.cgi
@@ -27,11 +27,6 @@ else
 	$d = Dudle.new(:title => _("Maintenance"), :hide_lang_chooser => true)
 end
 
-def urlescape(str)
-	CGI.escapeHTML(CGI.escape(str).gsub("+","%20"))
-end
-
-
 if File.exists?("maintenance.html")
 	$d << _("This site is currently undergoing maintenance!")
 	$d << File.open("maintenance.html","r").read
diff --git a/timepollhead.rb b/timepollhead.rb
index 524dcab..c1c755e 100644
--- a/timepollhead.rb
+++ b/timepollhead.rb
@@ -403,7 +403,7 @@ END
 						hiddenvars += "<input type='hidden' name='columnid' value=\"#{TimeString.new(day,nil)}\" />"
 					end
 				end
-				ret += "<td>" + add_remove_button(klasse, chosenstr[klasse], "columntime", CGI.escapeHTML(timestamp.time_to_s.to_s), revision, hiddenvars) + "</td>"
+				ret += "<td>" + add_remove_button(klasse, chosenstr[klasse], "columntime", CGI.escapeHTML(timestamp.time_to_s), revision, hiddenvars) + "</td>"
 
 			}
 			ret += "</tr>\n"
@@ -423,7 +423,7 @@ END
 				<input type='hidden' name='undo_revision' value='#{revision}' />
 END
 			if @data.include?(TimeString.new(d,nil))
-				ret += "<input type='hidden' name='columnid' value='#{TimeString.new(d,nil).to_s}' />"
+				ret += "<input type='hidden' name='columnid' value='#{TimeString.new(d,nil)}' />"
 			end
 			addstr = _("Add")
 			hintstr = _("e.&thinsp;g., 09:30, morning, afternoon")
diff --git a/timestring.rb b/timestring.rb
index 3fd0eb1..d93eb81 100644
--- a/timestring.rb
+++ b/timestring.rb
@@ -72,7 +72,7 @@ class TimeString
 	end
 	def to_s
 		if @time
-			"#{@date} #{time_to_s}"
+			"#{CGI.escapeHTML(@date.to_s)} #{time_to_s}"
 		else
 			CGI.escapeHTML(@date.to_s)
 		end
-- 
cgit v1.2.3