Escaping problems with CGI-various
Andreas Koenig (k@franz.ww.tu-berlin.de)
Sat, 22 Apr 95 11:37:45 +0200
Hi, Tim,
if you insert a text like
Andreas Koe<P>nig
into a form field, your as_string function turns it into
name = 'Andreas Koe
nig'
I'm not sure, if I found the best place to insert a fix for this (in
fact I expect there should be a better one), but the patch below seems
to behave correctly in this respect. The following four escapes should
really be available in many places:
s/&/&/sg;
s/</</sg;
s/>/>/sg;
s/\"/"/sg;
Lat's say, you want to give a user write access to an HTML document
within a form, then she will write html tokens withing the form. The
patch below fixes the interpretaion of what comes in from the user,
but these four escapes are necessary to format the default text that
is presented to the user. I'm gonna demonstrate such a page RSN, I
just have to fix some network configuration problems :(
Below you also find a patch to MiniSvr.pm. I couldn't find out why,
but yesterday a cgi program aborted due to 'use strict' in line 440 of
MiniSvr.pm. The no strict within that block fixed the problem.
Thanks, Tim, MiniSvr is sugar!!!!
andreas
*** Request.pm.orig Sat Apr 22 11:20:39 1995
--- Request.pm Sat Apr 22 11:17:08 1995
***************
*** 1,6 ****
package CGI::Request;
! # $Id: Request.pm,v 1.17 1995/04/14 21:47:17 timbo Exp $
=head1 NAME
--- 1,6 ----
package CGI::Request;
! # $Id: Request.pm,v 1.2 1995/04/22 08:34:09 k Exp $
=head1 NAME
***************
*** 144,150 ****
# $Exporter::Verbose = 1;
! $Version = '$Revision: 1.17 $';
($Version = $Version) =~ s/.*(\d+\.\d+).*/$1/;
my $Debug = 1;
--- 144,150 ----
# $Exporter::Verbose = 1;
! $Version = '$Revision: 1.2 $';
($Version = $Version) =~ s/.*(\d+\.\d+).*/$1/;
my $Debug = 1;
***************
*** 355,366 ****
my($self, $name, @values) = @_;
my $va = $self->{$name};
$self->{$name} = [@values] if @values;
! return () unless $va;
! return $va->[$#$va] unless wantarray;
@$va;
}
-
=head2 params
@names = $req->params
--- 355,367 ----
my($self, $name, @values) = @_;
my $va = $self->{$name};
$self->{$name} = [@values] if @values;
! return () unless $va;
! croak "Can't read multi-value form parameter '$name' in scalar context"
! if !wantarray and @$va > 0;
! return $va->[0] unless wantarray;
@$va;
}
=head2 params
@names = $req->params
***************
*** 438,444 ****
my(@h, $key, $out);
foreach $key (sort keys(%$hashref)) {
foreach (@{$hashref->{$key}}) {
! s/\n/<BR>/mg;
push(@h, sprintf($fmt, $key, $_));
}
}
--- 439,449 ----
my(@h, $key, $out);
foreach $key (sort keys(%$hashref)) {
foreach (@{$hashref->{$key}}) {
! s/&/&/mg;
! s/</</mg;
! s/>/>/mg;
! s/\"/"/mg;
! s/\n/<BR>/mgx;
push(@h, sprintf($fmt, $key, $_));
}
}
*** MiniSvr.pm 1995/04/21 20:16:47 1.1
--- MiniSvr.pm 1995/04/21 20:20:34
***************
*** 434,439 ****
--- 434,440 ----
# Set CGI vars from headers (e.g., $CONTENT_LENGTH from 'Content-Length:')
foreach (@CGI::MiniSvr::CgiEnv){
+ no strict;
my $eva = $CGI::MiniSvr::CgiEnv{$_};
my $hdr = $eva->{'HDR'};
next unless $hdr and $self->{$hdr};