Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
1e5ec777a7b87cb51eedff9161414697 |
| User & Date: | drh 2018-03-09 17:49:38.195 |
Context
|
2018-03-28
| ||
| 20:25 | Update the built-in SQLite to the first 3.23.0 beta. (check-in: 127706d944 user: drh tags: trunk) | |
|
2018-03-09
| ||
| 17:49 | Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. (check-in: 1e5ec777a7 user: drh tags: trunk) | |
|
2018-03-02
| ||
| 14:02 | Add the download.md document. (check-in: 88695e2d91 user: drh tags: trunk) | |
Changes
Changes to tests/test01.tcl.
| ︙ | ︙ | |||
28 29 30 31 32 33 34 |
<li><p><a href='%url($B)/globals'>TCL global variables</a>
<li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
<li><p><a href='%url($B)/fileupload'>File Upload
Using multipart/form-data</a>
<li><p><a href='%url($B)/self'>The source code to this script</a>
}
set x "%string(...)"
| | | 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
<li><p><a href='%url($B)/globals'>TCL global variables</a>
<li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
<li><p><a href='%url($B)/fileupload'>File Upload
Using multipart/form-data</a>
<li><p><a href='%url($B)/self'>The source code to this script</a>
}
set x "%string(...)"
set v abc'def\"ghi\\jkl</script>
wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
wapp "</ol>"
if {[wapp-param-exists showenv]} {
wapp-page-env
}
wapp-trim {
<p>The creator of Wapp:<br>
|
| ︙ | ︙ | |||
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<p>This page uses wapp-allow-xorigin-params so that new
query parameters may be added manually to the URL.</p>
<pre>%html([wapp-debug-env])</pre>
}
}
proc wapp-page-env {} {
global wapp
wapp-set-cookie env-cookie simple
wapp "<h1>Wapp Environment</h1>\n"
wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='showhdr'"
if {[wapp-param-exists showhdr]} {
wapp " checked"
}
wapp "> Show Header\n"
wapp "<input type='submit' value='Go'>\n"
wapp "</form>"
wapp "<pre>\n"
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
}
wapp "</pre>"
wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"
}
proc wapp-page-fullenv {} {
wapp-set-cookie env-cookie full
wapp "<h1>Wapp Full Environment</h1>\n"
wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='var1'"
if {[wapp-param-exists showhdr]} {
| > > > > > > > > > | 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
<p>This page uses wapp-allow-xorigin-params so that new
query parameters may be added manually to the URL.</p>
<pre>%html([wapp-debug-env])</pre>
}
}
proc wapp-page-env {} {
global wapp
wapp-allow-xorigin-params
wapp-set-cookie env-cookie simple
wapp "<h1>Wapp Environment</h1>\n"
wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='showhdr'"
if {[wapp-param-exists showhdr]} {
wapp " checked"
}
wapp "> Show Header\n"
wapp "<input type='submit' value='Go'>\n"
wapp "</form>"
wapp "<pre>\n"
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
}
wapp "</pre>"
wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"
wapp-trim {<h1>Using %string</h1>}
wapp "<pre>\n"
foreach var [lsort [wapp-param-list]] {
if {[string index $var 0]=="." &&
($var!=".header" || ![wapp-param-exists showhdr])} continue
wapp-subst {%html($var) = %string([list [wapp-param $var]])\n}
}
wapp "</pre>"
}
proc wapp-page-fullenv {} {
wapp-set-cookie env-cookie full
wapp "<h1>Wapp Full Environment</h1>\n"
wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
wapp "<input type='checkbox' name='var1'"
if {[wapp-param-exists showhdr]} {
|
| ︙ | ︙ |
Changes to wapp.tcl.
| ︙ | ︙ | |||
99 100 101 102 103 104 105 | # wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # | | | > > | | 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# wappInt-enc-url Escape text so that it is safe to pass as an
# argument to href= and src= attributes in HTML.
#
# wappInt-enc-qp Escape text so that it is safe to use as the
# value of a query parameter in a URL or in
# post data or in a cookie.
#
# wappInt-enc-string Escape ", ', \, and < for using inside of a
# javascript string literal. The < character
# is escaped to prevent "</script>" from causing
# problems in embedded javascript.
#
# wappInt-enc-unsafe Perform no encoding at all. Unsafe.
#
proc wappInt-enc-html {txt} {
return [string map {& & < < > > \" " \\ \} $txt]
}
proc wappInt-enc-unsafe {txt} {
return $txt
}
proc wappInt-enc-url {s} {
if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
set s [subst -novar -noback $s]
|
| ︙ | ︙ | |||
129 130 131 132 133 134 135 |
}
if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} {
set s [subst -novar -noback $s]
}
return $s
}
proc wappInt-enc-string {s} {
| | | 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
}
if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} {
set s [subst -novar -noback $s]
}
return $s
}
proc wappInt-enc-string {s} {
return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s]
}
# This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns
# an appropriate %HH encoding for the single character c. If c is a unicode
# character, then this routine might return multiple bytes: %HH%HH%HH
#
proc wappInt-%HHchar {c} {
|
| ︙ | ︙ |