Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
1e5ec777a7b87cb51eedff9161414697 |
User & Date: | drh 2018-03-09 17:49:38.195 |
Context
2018-03-28
| ||
20:25 | Update the built-in SQLite to the first 3.23.0 beta. (check-in: 127706d944 user: drh tags: trunk) | |
2018-03-09
| ||
17:49 | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. (check-in: 1e5ec777a7 user: drh tags: trunk) | |
2018-03-02
| ||
14:02 | Add the download.md document. (check-in: 88695e2d91 user: drh tags: trunk) | |
Changes
Changes to tests/test01.tcl.
︙ | ︙ | |||
28 29 30 31 32 33 34 | <li><p><a href='%url($B)/globals'>TCL global variables</a> <li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a> <li><p><a href='%url($B)/fileupload'>File Upload Using multipart/form-data</a> <li><p><a href='%url($B)/self'>The source code to this script</a> } set x "%string(...)" | | | 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | <li><p><a href='%url($B)/globals'>TCL global variables</a> <li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a> <li><p><a href='%url($B)/fileupload'>File Upload Using multipart/form-data</a> <li><p><a href='%url($B)/self'>The source code to this script</a> } set x "%string(...)" set v abc'def\"ghi\\jkl</script> wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n} wapp "</ol>" if {[wapp-param-exists showenv]} { wapp-page-env } wapp-trim { <p>The creator of Wapp:<br> |
︙ | ︙ | |||
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 | <p>This page uses wapp-allow-xorigin-params so that new query parameters may be added manually to the URL.</p> <pre>%html([wapp-debug-env])</pre> } } proc wapp-page-env {} { global wapp wapp-set-cookie env-cookie simple wapp "<h1>Wapp Environment</h1>\n" wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n" wapp "<input type='checkbox' name='showhdr'" if {[wapp-param-exists showhdr]} { wapp " checked" } wapp "> Show Header\n" wapp "<input type='submit' value='Go'>\n" wapp "</form>" wapp "<pre>\n" foreach var [lsort [wapp-param-list]] { if {[string index $var 0]=="." && ($var!=".header" || ![wapp-param-exists showhdr])} continue wapp-subst {%html($var) = %html([list [wapp-param $var]])\n} } wapp "</pre>" wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n" } proc wapp-page-fullenv {} { wapp-set-cookie env-cookie full wapp "<h1>Wapp Full Environment</h1>\n" wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n" wapp "<input type='checkbox' name='var1'" if {[wapp-param-exists showhdr]} { | > > > > > > > > > | 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | <p>This page uses wapp-allow-xorigin-params so that new query parameters may be added manually to the URL.</p> <pre>%html([wapp-debug-env])</pre> } } proc wapp-page-env {} { global wapp wapp-allow-xorigin-params wapp-set-cookie env-cookie simple wapp "<h1>Wapp Environment</h1>\n" wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n" wapp "<input type='checkbox' name='showhdr'" if {[wapp-param-exists showhdr]} { wapp " checked" } wapp "> Show Header\n" wapp "<input type='submit' value='Go'>\n" wapp "</form>" wapp "<pre>\n" foreach var [lsort [wapp-param-list]] { if {[string index $var 0]=="." && ($var!=".header" || ![wapp-param-exists showhdr])} continue wapp-subst {%html($var) = %html([list [wapp-param $var]])\n} } wapp "</pre>" wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n" wapp-trim {<h1>Using %string</h1>} wapp "<pre>\n" foreach var [lsort [wapp-param-list]] { if {[string index $var 0]=="." && ($var!=".header" || ![wapp-param-exists showhdr])} continue wapp-subst {%html($var) = %string([list [wapp-param $var]])\n} } wapp "</pre>" } proc wapp-page-fullenv {} { wapp-set-cookie env-cookie full wapp "<h1>Wapp Full Environment</h1>\n" wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n" wapp "<input type='checkbox' name='var1'" if {[wapp-param-exists showhdr]} { |
︙ | ︙ |
Changes to wapp.tcl.
︙ | ︙ | |||
99 100 101 102 103 104 105 | # wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # | | | > > | | 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | # wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # # wappInt-enc-string Escape ", ', \, and < for using inside of a # javascript string literal. The < character # is escaped to prevent "</script>" from causing # problems in embedded javascript. # # wappInt-enc-unsafe Perform no encoding at all. Unsafe. # proc wappInt-enc-html {txt} { return [string map {& & < < > > \" " \\ \} $txt] } proc wappInt-enc-unsafe {txt} { return $txt } proc wappInt-enc-url {s} { if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} { set s [subst -novar -noback $s] |
︙ | ︙ | |||
129 130 131 132 133 134 135 | } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { | | | 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 | } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s] } # This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns # an appropriate %HH encoding for the single character c. If c is a unicode # character, then this routine might return multiple bytes: %HH%HH%HH # proc wappInt-%HHchar {c} { |
︙ | ︙ |