Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
1e5ec777a7b87cb51eedff9161414697 |
| User & Date: | drh 2018-03-09 17:49:38 |
Context
|
2018-03-28
| ||
| 20:25 | Update the built-in SQLite to the first 3.23.0 beta. check-in: 127706d944 user: drh tags: trunk | |
|
2018-03-09
| ||
| 17:49 | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. check-in: 1e5ec777a7 user: drh tags: trunk | |
|
2018-03-02
| ||
| 14:02 | Add the download.md document. check-in: 88695e2d91 user: drh tags: trunk | |
Changes
Changes to tests/test01.tcl.
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 .. 69 70 71 72 73 74 75 76 77 78 79 80 81 82 .. 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<li><p><a href='%url($B)/globals'>TCL global variables</a>
<li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
<li><p><a href='%url($B)/fileupload'>File Upload
Using multipart/form-data</a>
<li><p><a href='%url($B)/self'>The source code to this script</a>
}
set x "%string(...)"
set v abc'def\"ghi\\jkl
wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
wapp "</ol>"
if {[wapp-param-exists showenv]} {
wapp-page-env
}
wapp-trim {
<p>The creator of Wapp:<br>
................................................................................
<p>This page uses wapp-allow-xorigin-params so that new
query parameters may be added manually to the URL.</p>
<pre>%html([wapp-debug-env])</pre>
}
}
proc wapp-page-env {} {
global wapp
wapp-set-cookie env-cookie simple
wapp "<h1>Wapp Environment</h1>\n"
wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='showhdr'"
if {[wapp-param-exists showhdr]} {
wapp " checked"
}
................................................................................
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
}
wapp "</pre>"
wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"
}
proc wapp-page-fullenv {} {
wapp-set-cookie env-cookie full
wapp "<h1>Wapp Full Environment</h1>\n"
wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='var1'"
if {[wapp-param-exists showhdr]} {
|
| > > > > > > > > > |
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 .. 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 .. 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
<li><p><a href='%url($B)/globals'>TCL global variables</a>
<li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
<li><p><a href='%url($B)/fileupload'>File Upload
Using multipart/form-data</a>
<li><p><a href='%url($B)/self'>The source code to this script</a>
}
set x "%string(...)"
set v abc'def\"ghi\\jkl</script>
wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
wapp "</ol>"
if {[wapp-param-exists showenv]} {
wapp-page-env
}
wapp-trim {
<p>The creator of Wapp:<br>
................................................................................
<p>This page uses wapp-allow-xorigin-params so that new
query parameters may be added manually to the URL.</p>
<pre>%html([wapp-debug-env])</pre>
}
}
proc wapp-page-env {} {
global wapp
wapp-allow-xorigin-params
wapp-set-cookie env-cookie simple
wapp "<h1>Wapp Environment</h1>\n"
wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='showhdr'"
if {[wapp-param-exists showhdr]} {
wapp " checked"
}
................................................................................
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
}
wapp "</pre>"
wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"
wapp-trim {<h1>Using %string</h1>}
wapp "<pre>\n"
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %string([list [wapp-param $var]])\n}
}
wapp "</pre>"
}
proc wapp-page-fullenv {} {
wapp-set-cookie env-cookie full
wapp "<h1>Wapp Full Environment</h1>\n"
wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='var1'"
if {[wapp-param-exists showhdr]} {
|
Changes to wapp.tcl.
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
...
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
# wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # # wappInt-enc-string Escape ", ', and \ for using inside of a # javascript string literal. # # wappInt-enc-unsafe Perform no encoding at all. Unsafe. # proc wappInt-enc-html {txt} { return [string map {& & < < > >} $txt] } proc wappInt-enc-unsafe {txt} { return $txt } proc wappInt-enc-url {s} { if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} { set s [subst -novar -noback $s] ................................................................................ } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { return [string map {\\ \\\\ \" \\\" ' \\'} $s] } # This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns # an appropriate %HH encoding for the single character c. If c is a unicode # character, then this routine might return multiple bytes: %HH%HH%HH # proc wappInt-%HHchar {c} { |
|
|
>
>
|
|
|
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
...
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
# wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # # wappInt-enc-string Escape ", ', \, and < for using inside of a # javascript string literal. The < character # is escaped to prevent "</script>" from causing # problems in embedded javascript. # # wappInt-enc-unsafe Perform no encoding at all. Unsafe. # proc wappInt-enc-html {txt} { return [string map {& & < < > > \" " \\ \} $txt] } proc wappInt-enc-unsafe {txt} { return $txt } proc wappInt-enc-url {s} { if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} { set s [subst -novar -noback $s] ................................................................................ } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s] } # This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns # an appropriate %HH encoding for the single character c. If c is a unicode # character, then this routine might return multiple bytes: %HH%HH%HH # proc wappInt-%HHchar {c} { |