hidden_escape.htm

richter Sun, 05 Jan 2025 05:31:18 -0800

Author: richter
Date: Sun Jan  5 13:31:12 2025
New Revision: 1922899

URL: http://svn.apache.org/viewvc?rev=1922899&view=rev
Log:
Fix missing escape of name attribute in hidden command


Added:
    perl/embperl/trunk/test/cmp/hidden_escape.htm
    perl/embperl/trunk/test/html/hidden_escape.htm
Modified:
    perl/embperl/trunk/epcmd.c
    perl/embperl/trunk/epcmd2.c
    perl/embperl/trunk/test.pl

Modified: perl/embperl/trunk/epcmd.c
URL: 
http://svn.apache.org/viewvc/perl/embperl/trunk/epcmd.c?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/epcmd.c (original)
+++ perl/embperl/trunk/epcmd.c Sun Jan  5 13:31:12 2025
@@ -812,7 +812,7 @@ static int CmdHidden (/*i/o*/ register r
                if (ppsv && (!(r -> Component.Config.bOptions & 
optNoHiddenEmptyValue) || *SvPV (*ppsv, na)))
                     {
                     oputs (r, "<input type=\"hidden\" name=\"") ;
-                    oputs (r, pKey) ;
+                    OutputToHtml (r, pKey) ;
                     oputs (r, "\" value=\"") ;
                     OutputToHtml (r, SvPV (*ppsv, na)) ;
                     oputs (r, "\">\n") ;
@@ -833,7 +833,7 @@ static int CmdHidden (/*i/o*/ register r
                 if (!(r -> Component.Config.bOptions & optNoHiddenEmptyValue) 
|| *SvPV (psv, na)) 
                    {
                     oputs (r, "<input type=\"hidden\" name=\"") ;
-                    oputs (r, pKey) ;
+                    OutputToHtml (r, pKey) ;
                     oputs (r, "\" value=\"") ;
                     OutputToHtml (r, SvPV (psv, na)) ;
                     oputs (r, "\">\n") ;

Modified: perl/embperl/trunk/epcmd2.c
URL: 
http://svn.apache.org/viewvc/perl/embperl/trunk/epcmd2.c?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/epcmd2.c (original)
+++ perl/embperl/trunk/epcmd2.c Sun Jan  5 13:31:12 2025
@@ -334,26 +334,29 @@ int embperlCmd_Hidden     (/*i/o*/ register
             if (ppsv && (pKey = SvPV(*ppsv, nKey)) && !hv_exists (pSubHash, 
pKey, nKey))
                 {
                 STRLEN lppsv ;
-               ppsv = hv_fetch (pAddHash, pKey, nKey, 0) ;
+                ppsv = hv_fetch (pAddHash, pKey, nKey, 0) ;
                 
-               if (ppsv && (!(r -> Component.Config.bOptions & 
optNoHiddenEmptyValue) || *SvPV (*ppsv, lppsv)))
+                if (ppsv && (!(r -> Component.Config.bOptions & 
optNoHiddenEmptyValue) || *SvPV (*ppsv, lppsv)))
                     {
                     char * s ;
-                   STRLEN     l ;
+                           STRLEN     l ;
                     SV * sEscapedText ;
-                   tNode xInputNode = Node_appendChild (r -> pApp, pDomTree, 
pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
+                           tNode xInputNode = Node_appendChild (r -> pApp, 
pDomTree, pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
                     tNode xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "type", 4, 0, 0, NULL) ;
                                        Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, "hidden", 6, 0, 0, NULL) ;
                    
                           xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "name", 4, 0, 0, NULL) ;
-                                       Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, pKey, nKey, 0, 0, NULL) ;
+
+                    sEscapedText = Escape (r, pKey, nKey, r -> 
Component.nCurrEscMode, NULL, '\0') ;
+                    s = SV2String (sEscapedText, l) ;
+                                       Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
                           xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "value", 5, 0, 0, NULL) ;
 
-                   s = SvPV (*ppsv, l) ;                         
+                           s = SvPV (*ppsv, l) ;                         
                     sEscapedText = Escape (r, s, l, r -> 
Component.nCurrEscMode, NULL, '\0') ;
                     s = SV2String (sEscapedText, l) ;
                          
-                   Node_appendChild (r -> pApp, pDomTree, xAttr, nRepeatLevel, 
ntypAttrValue, 0, s, l, 0, 0, NULL) ;
+                       Node_appendChild (r -> pApp, pDomTree, xAttr, 
nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
                     SvREFCNT_dec (sEscapedText) ;
                     }
                 }
@@ -375,21 +378,24 @@ int embperlCmd_Hidden     (/*i/o*/ register
                 if (!(r -> Component.Config.bOptions & optNoHiddenEmptyValue) 
|| *SvPV (psv, lpsv)) 
                     {
                     char * s ;
-                   STRLEN     l ;
+                           STRLEN     l ;
                     SV * sEscapedText ;
-                   tNode xInputNode = Node_appendChild (r -> pApp, pDomTree, 
pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
+                           tNode xInputNode = Node_appendChild (r -> pApp, 
pDomTree, pNewNode -> xNdx, nRepeatLevel, ntypTag, 0, "input", 5, 0, 0, NULL) ;
                     tNode xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "type", 4, 0, 0, NULL) ;
                                        Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, "hidden", 6, 0, 0, NULL) ;
                    
                           xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "name", 4, 0, 0, NULL) ;
-                                       Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, pKey, nKey, 0, 0, NULL) ;
+                        
+                    sEscapedText = Escape (r, pKey, nKey, r -> 
Component.nCurrEscMode, NULL, '\0') ;
+                    s = SV2String (sEscapedText, l) ;
+                                       Node_appendChild (r -> pApp, pDomTree, 
xAttr, nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
                           xAttr      = Node_appendChild (r -> pApp, pDomTree, 
xInputNode, nRepeatLevel, ntypAttr, 0, "value", 5, 0, 0, NULL) ;
 
-                   s = SvPV (psv, l) ;                   
+                           s = SvPV (psv, l) ;                   
                     sEscapedText = Escape (r, s, l, r -> 
Component.nCurrEscMode, NULL, '\0') ;
                     s = SV2String (sEscapedText, l) ;
                          
-                   Node_appendChild (r -> pApp, pDomTree, xAttr, nRepeatLevel, 
ntypAttrValue, 0, s, l, 0, 0, NULL) ;
+                       Node_appendChild (r -> pApp, pDomTree, xAttr, 
nRepeatLevel, ntypAttrValue, 0, s, l, 0, 0, NULL) ;
                     SvREFCNT_dec (sEscapedText) ;
                     }
                 }

Modified: perl/embperl/trunk/test.pl
URL: 
http://svn.apache.org/viewvc/perl/embperl/trunk/test.pl?rev=1922899&r1=1922898&r2=1922899&view=diff
==============================================================================
--- perl/embperl/trunk/test.pl (original)
+++ perl/embperl/trunk/test.pl Sun Jan  5 13:31:12 2025
@@ -315,6 +315,9 @@ use lib '.';
     'hidden.htm' => { 
         'query_info' => 
'feld1=Wert1&feld2=Wert2&feld3=Wert3&feld4=Wert4?foo=bar',
         },
+    'hidden_escape.htm' => {
+        'query_info' => 
'%22%3E%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E=1',
+    },
     'java.htm' => { },
     'inputjava.htm' => { },
     'inputjs2.htm' => {

Added: perl/embperl/trunk/test/cmp/hidden_escape.htm
URL: 
http://svn.apache.org/viewvc/perl/embperl/trunk/test/cmp/hidden_escape.htm?rev=1922899&view=auto
==============================================================================
--- perl/embperl/trunk/test/cmp/hidden_escape.htm (added)
+++ perl/embperl/trunk/test/cmp/hidden_escape.htm Sun Jan  5 13:31:12 2025
@@ -0,0 +1,13 @@
+<html>
+
+<head>
+    <title>hello I am a test</title>
+</head>
+
+<body>
+    <h1>hello I am a test</h1>
+    <form>
+        <input type="hidden" 
name="&quot;&gt;&lt;script&gt;alert(&quot;hello&quot;);&lt;/script&gt;" 
value="1">
+    </form>
+
+</html>
\ No newline at end of file

Added: perl/embperl/trunk/test/html/hidden_escape.htm
URL: 
http://svn.apache.org/viewvc/perl/embperl/trunk/test/html/hidden_escape.htm?rev=1922899&view=auto
==============================================================================
--- perl/embperl/trunk/test/html/hidden_escape.htm (added)
+++ perl/embperl/trunk/test/html/hidden_escape.htm Sun Jan  5 13:31:12 2025
@@ -0,0 +1,13 @@
+<html>
+
+<head>
+    <title>hello I am a test</title>
+</head>
+
+<body>
+    <h1>hello I am a test</h1>
+    <form>
+        [$ hidden $]
+    </form>
+
+</html>
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-cvs-unsubscr...@perl.apache.org
For additional commands, e-mail: embperl-cvs-h...@perl.apache.org

svn commit: r1922899 - in /perl/embperl/trunk: epcmd.c epcmd2.c test.pl test/cmp/hidden_escape.htm test/html/hidden_escape.htm

Reply via email to