Author: richter
Date: Sun Jan 5 13:31:12 2025
New Revision: 1922899
URL: http://svn.apache.org/viewvc?rev=1922899&view=rev
Log:
Fix missing escape of name attribute in hidden command
Added:
perl/embperl/trunk/test/cmp/hidden_escape.htm
perl/embperl/trunk/test/html/hidden_escape.htm
Modified:
perl/embperl/trunk/epcmd.c
perl/embperl/trunk/epcmd2.c
perl/embperl/trunk/test.pl
Modified: perl/embperl/trunk/epcmd.c
URL:
http://svn.apache.org/viewvc/perl/embperl/trunk/epcmd.c?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/epcmd.c (original)
+++ perl/embperl/trunk/epcmd.c Sun Jan 5 13:31:12 2025
@@ -812,7 +812,7 @@ static int CmdHidden (/*i/o*/ register r
if (ppsv && (!(r -> Component.Config.bOptions &
optNoHiddenEmptyValue) || *SvPV (*ppsv, na)))
{
oputs (r, "<input type=\"hidden\" name=\"") ;
- oputs (r, pKey) ;
+ OutputToHtml (r, pKey) ;
oputs (r, "\" value=\"") ;
OutputToHtml (r, SvPV (*ppsv, na)) ;
oputs (r, "\">\n") ;
@@ -833,7 +833,7 @@ static int CmdHidden (/*i/o*/ register r
if (!(r -> Component.Config.bOptions & optNoHiddenEmptyValue)
|| *SvPV (psv, na))
{
oputs (r, "<input type=\"hidden\" name=\"") ;
- oputs (r, pKey) ;
+ OutputToHtml (r, pKey) ;
oputs (r, "\" value=\"") ;
OutputToHtml (r, SvPV (psv, na)) ;
oputs (r, "\">\n") ;
Modified: perl/embperl/trunk/epcmd2.c
URL:
http://svn.apache.org/viewvc/perl/embperl/trunk/epcmd2.c?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/epcmd2.c (original)
+++ perl/embperl/trunk/epcmd2.c Sun Jan 5 13:31:12 2025
@@ -334,26 +334,29 @@ int embperlCmd_Hidden (/*i/o*/ register
if (ppsv && (pKey = SvPV(*ppsv, nKey)) && !hv_exists (pSubHash,
pKey, nKey))
{
STRLEN lppsv ;
- ppsv = hv_fetch (pAddHash, pKey, nKey, 0) ;
+ ppsv = hv_fetch (pAddHash, pKey, nKey, 0) ;
- if (ppsv && (!(r -> Component.Config.bOptions &
optNoHiddenEmptyValue) || *SvPV (*ppsv, lppsv)))
+ if (ppsv && (!(r -> Component.Config.bOptions &
optNoHiddenEmptyValue) || *SvPV (*ppsv, lppsv)))
{
char * s ;
- STRLEN l ;
+ STRLEN l ;
SV * sEscapedText ;
- tNode xInputNode = Node_appendChild (r -> pApp, pDomTree,
pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
+ tNode xInputNode = Node_appendChild (r -> pApp,
pDomTree, pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
tNode xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "type", 4, 0, 0, NULL) ;
Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, "hidden", 6, 0, 0, NULL) ;
xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "name", 4, 0, 0, NULL) ;
- Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, pKey, nKey, 0, 0, NULL) ;
+
+ sEscapedText = Escape (r, pKey, nKey, r ->
Component.nCurrEscMode, NULL, '\0') ;
+ s = SV2String (sEscapedText, l) ;
+ Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "value", 5, 0, 0, NULL) ;
- s = SvPV (*ppsv, l) ;
+ s = SvPV (*ppsv, l) ;
sEscapedText = Escape (r, s, l, r ->
Component.nCurrEscMode, NULL, '\0') ;
s = SV2String (sEscapedText, l) ;
- Node_appendChild (r -> pApp, pDomTree, xAttr, nRepeatLevel,
ntypAttrValue, 0, s, l, 0, 0, NULL) ;
+ Node_appendChild (r -> pApp, pDomTree, xAttr,
nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
SvREFCNT_dec (sEscapedText) ;
}
}
@@ -375,21 +378,24 @@ int embperlCmd_Hidden (/*i/o*/ register
if (!(r -> Component.Config.bOptions & optNoHiddenEmptyValue)
|| *SvPV (psv, lpsv))
{
char * s ;
- STRLEN l ;
+ STRLEN l ;
SV * sEscapedText ;
- tNode xInputNode = Node_appendChild (r -> pApp, pDomTree,
pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
+ tNode xInputNode = Node_appendChild (r -> pApp,
pDomTree, pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
tNode xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "type", 4, 0, 0, NULL) ;
Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, "hidden", 6, 0, 0, NULL) ;
xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "name", 4, 0, 0, NULL) ;
- Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, pKey, nKey, 0, 0, NULL) ;
+
+ sEscapedText = Escape (r, pKey, nKey, r ->
Component.nCurrEscMode, NULL, '\0') ;
+ s = SV2String (sEscapedText, l) ;
+ Node_appendChild (r -> pApp, pDomTree,
xAttr, nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
xAttr = Node_appendChild (r -> pApp, pDomTree,
xInputNode, nRepeatLevel, ntypAttr, 0, "value", 5, 0, 0, NULL) ;
- s = SvPV (psv, l) ;
+ s = SvPV (psv, l) ;
sEscapedText = Escape (r, s, l, r ->
Component.nCurrEscMode, NULL, '\0') ;
s = SV2String (sEscapedText, l) ;
- Node_appendChild (r -> pApp, pDomTree, xAttr, nRepeatLevel,
ntypAttrValue, 0, s, l, 0, 0, NULL) ;
+ Node_appendChild (r -> pApp, pDomTree, xAttr,
nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
SvREFCNT_dec (sEscapedText) ;
}
}
Modified: perl/embperl/trunk/test.pl
URL:
http://svn.apache.org/viewvc/perl/embperl/trunk/test.pl?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/test.pl (original)
+++ perl/embperl/trunk/test.pl Sun Jan 5 13:31:12 2025
@@ -315,6 +315,9 @@ use lib '.';
'hidden.htm' => {
'query_info' =>
'feld1=Wert1&feld2=Wert2&feld3=Wert3&feld4=Wert4?foo=bar',
},
+ 'hidden_escape.htm' => {
+ 'query_info' =>
'%22%3E%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E=1',
+ },
'java.htm' => { },
'inputjava.htm' => { },
'inputjs2.htm' => {
Added: perl/embperl/trunk/test/cmp/hidden_escape.htm
URL:
http://svn.apache.org/viewvc/perl/embperl/trunk/test/cmp/hidden_escape.htm?rev=1922899&view=auto
==============================================================================
--- perl/embperl/trunk/test/cmp/hidden_escape.htm (added)
+++ perl/embperl/trunk/test/cmp/hidden_escape.htm Sun Jan 5 13:31:12 2025
@@ -0,0 +1,13 @@
+<html>
+
+<head>
+ <title>hello I am a test</title>
+</head>
+
+<body>
+ <h1>hello I am a test</h1>
+ <form>
+ <input type="hidden"
name=""><script>alert("hello");</script>"
value="1">
+ </form>
+
+</html>
\ No newline at end of file
Added: perl/embperl/trunk/test/html/hidden_escape.htm
URL:
http://svn.apache.org/viewvc/perl/embperl/trunk/test/html/hidden_escape.htm?rev=1922899&view=auto
==============================================================================
--- perl/embperl/trunk/test/html/hidden_escape.htm (added)
+++ perl/embperl/trunk/test/html/hidden_escape.htm Sun Jan 5 13:31:12 2025
@@ -0,0 +1,13 @@
+<html>
+
+<head>
+ <title>hello I am a test</title>
+</head>
+
+<body>
+ <h1>hello I am a test</h1>
+ <form>
+ [$ hidden $]
+ </form>
+
+</html>
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
