Created Codestriker topic at:
http://codestriker.sourceforge.net/cgi-bin/codestriker.pl?topic=2904007&action=view
User: sits
Date: 05/10/05 00:56:10
Modified: . CHANGELOG
html codestriker.js
lib Codestriker.pm
lib/Codestriker/Http Response.pm
Log:
* Comments containing '+' characters were changed into ' ' characters
when posted via AJAX. Other potentially damaging characters are now
escaped.
* Comments with '\' characters are now displayed correctly in all
cases within the tooltip window.
Index: CHANGELOG
===================================================================
RCS file: /cvsroot/codestriker/codestriker/CHANGELOG,v
retrieving revision 1.175
retrieving revision 1.176
diff -u -r1.175 -r1.176
--- CHANGELOG 11 Aug 2005 12:04:55 -0000 1.175
+++ CHANGELOG 5 Oct 2005 07:56:09 -0000 1.176
@@ -1,6 +1,15 @@
*** When upgrading, don't forget to: "cd bin ; ./install.pl" ***
*** Also, it is _highly_ advisable to backup your data before upgrading ***
+Version 1.9.2
+
+* Comments containing '+' characters were changed into ' ' characters
+ when posted via AJAX. Other potentially damaging characters are now
+ escaped.
+
+* Comments with '\' characters are now displayed correctly in all
+ cases within the tooltip window.
+
Version 1.9.1
* Correct problem introduced in 1.9.0 release where the email address
Index: codestriker.js
===================================================================
RCS file: /cvsroot/codestriker/codestriker/html/codestriker.js,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- codestriker.js 11 Aug 2005 12:04:55 -0000 1.13
+++ codestriker.js 5 Oct 2005 07:56:09 -0000 1.14
@@ -23,6 +23,22 @@
windowHandle.focus();
}
+// Function for escaping value to be URL safe. Also
+// make sure that potentially damaging punctuation
+// is escaped. For example, a '+' character will be
+// interpreted as a space character when it is put into a URL.
+function extra_escape(value)
+{
+ value = escape(value);
+ value = value.replace(/\//g, "%2F");
+ value = value.replace(/\?/g, "%3F");
+ value = value.replace(/\=/g, "%3D");
+ value = value.replace(/\+/g, "%2B");
+ value = value.replace(/\&/g, "%26");
+ value = value.replace(/\@/g, "%40");
+ return value;
+}
+
// Retrieve the value of a cookie by name.
function getCookie(name)
{
@@ -249,7 +265,7 @@
// cookie, so that it is remembered for the next add comment tooltip.
var cookie = getCookie('codestriker_cookie');
cs_email = comment_form.email.value;
- var email_value = escape(cs_email);
+ var email_value = extra_escape(cs_email);
if (cookie == null || cookie == '') {
cookie = 'email&' + email_value;
}
@@ -266,20 +282,20 @@
// request as an XMLHttpRequest, and return false so the browser
// does nothing else.
var params = 'action=submit_comment';
- params += '&line=' + escape(comment_form.line.value);
- params += '&topic=' + escape(comment_form.topic.value);
- params += '&fn=' + escape(comment_form.fn.value);
- params += '&new=' + escape(comment_form.newval.value);
- params += '&comments=' + escape(comment_form.comments.value);
- params += '&email=' + escape(comment_form.email.value);
- params += '&comment_cc=' + escape(comment_form.comment_cc.value);
+ params += '&line=' + extra_escape(comment_form.line.value);
+ params += '&topic=' + extra_escape(comment_form.topic.value);
+ params += '&fn=' + extra_escape(comment_form.fn.value);
+ params += '&new=' + extra_escape(comment_form.newval.value);
+ params += '&comments=' + extra_escape(comment_form.comments.value);
+ params += '&email=' + extra_escape(comment_form.email.value);
+ params += '&comment_cc=' + extra_escape(comment_form.comment_cc.value);
params += '&format=xml';
for (var i = 0; i < top.cs_metric_data.length; i++) {
var comment_param =
- escape('comment_state_metric_' + top.cs_metric_data[i].name);
+ extra_escape('comment_state_metric_' +
top.cs_metric_data[i].name);
params += '&' + comment_param + '=' +
- escape(eval('comment_form.' + comment_param + '.value'));
+ extra_escape(eval('comment_form.' + comment_param +
'.value'));
}
setStatusText('Submitting comment...');
Index: Codestriker.pm
===================================================================
RCS file: /cvsroot/codestriker/codestriker/lib/Codestriker.pm,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- Codestriker.pm 11 Aug 2005 12:04:55 -0000 1.79
+++ Codestriker.pm 5 Oct 2005 07:56:10 -0000 1.80
@@ -27,7 +27,7 @@
);
# Version of Codestriker.
-$Codestriker::VERSION = "1.9.1";
+$Codestriker::VERSION = "1.9.2";
# Default title to display on each Codestriker screen.
$Codestriker::title = "Codestriker $Codestriker::VERSION";
Index: Response.pm
===================================================================
RCS file: /cvsroot/codestriker/codestriker/lib/Codestriker/Http/Response.pm,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- Response.pm 7 Jun 2005 22:51:46 -0000 1.34
+++ Response.pm 5 Oct 2005 07:56:10 -0000 1.35
@@ -385,6 +385,7 @@
# Need to format the data appropriately for HTML display.
my $data = HTML::Entities::encode($comment->{data});
+ $data =~ s/\\/\\\\/mgo;
$data =~ s/\'/\\\'/mgo;
$data =~ s/\n/<br>/mgo;
$data =~ s/ \s+/' ' x (length($&)-1)/emgo;
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Codestriker-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/codestriker-commits
