Wapp

Check-in [1e5ec777a7]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:1e5ec777a7b87cb51eedff9161414697769616fdc0bdddad2e082ed198cf0a88
User & Date: drh 2018-03-09 17:49:38
Context
2018-03-28
20:25
Update the built-in SQLite to the first 3.23.0 beta. check-in: 127706d944 user: drh tags: trunk
2018-03-09
17:49
Improve %string() to escape < so that </script> does not cause problems in embedded javascript. Improve %html() to escape " and \ to avoid problems with HTML used inside a javascript string. check-in: 1e5ec777a7 user: drh tags: trunk
2018-03-02
14:02
Add the download.md document. check-in: 88695e2d91 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to tests/test01.tcl.

28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
..
69
70
71
72
73
74
75

76
77
78
79
80
81
82
..
87
88
89
90
91
92
93








94
95
96
97
98
99
100
    <li><p><a href='%url($B)/globals'>TCL global variables</a>
    <li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
    <li><p><a href='%url($B)/fileupload'>File Upload
    Using multipart/form-data</a>
    <li><p><a href='%url($B)/self'>The source code to this script</a>
  }
  set x "%string(...)"
  set v abc'def\"ghi\\jkl
  wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
  wapp "</ol>"
  if {[wapp-param-exists showenv]} {
    wapp-page-env
  }
  wapp-trim {
    <p>The creator of Wapp:<br>
................................................................................
    <p>This page uses wapp-allow-xorigin-params so that new
       query parameters may be added manually to the URL.</p>
    <pre>%html([wapp-debug-env])</pre>
  }
}
proc wapp-page-env {} {
  global wapp

  wapp-set-cookie env-cookie simple
  wapp "<h1>Wapp Environment</h1>\n"
  wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='showhdr'"
  if {[wapp-param-exists showhdr]} {
    wapp " checked"
  }
................................................................................
  foreach var [lsort [wapp-param-list]] {
    if {[string index $var 0]=="." &&
         ($var!=".header" || ![wapp-param-exists showhdr])} continue
    wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
  }
  wapp "</pre>"
  wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"








}
proc wapp-page-fullenv {} {
  wapp-set-cookie env-cookie full
  wapp "<h1>Wapp Full Environment</h1>\n"
  wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='var1'"
  if {[wapp-param-exists showhdr]} {







|







 







>







 







>
>
>
>
>
>
>
>







28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
..
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
..
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
    <li><p><a href='%url($B)/globals'>TCL global variables</a>
    <li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
    <li><p><a href='%url($B)/fileupload'>File Upload
    Using multipart/form-data</a>
    <li><p><a href='%url($B)/self'>The source code to this script</a>
  }
  set x "%string(...)"
  set v abc'def\"ghi\\jkl</script>
  wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
  wapp "</ol>"
  if {[wapp-param-exists showenv]} {
    wapp-page-env
  }
  wapp-trim {
    <p>The creator of Wapp:<br>
................................................................................
    <p>This page uses wapp-allow-xorigin-params so that new
       query parameters may be added manually to the URL.</p>
    <pre>%html([wapp-debug-env])</pre>
  }
}
proc wapp-page-env {} {
  global wapp
  wapp-allow-xorigin-params
  wapp-set-cookie env-cookie simple
  wapp "<h1>Wapp Environment</h1>\n"
  wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='showhdr'"
  if {[wapp-param-exists showhdr]} {
    wapp " checked"
  }
................................................................................
  foreach var [lsort [wapp-param-list]] {
    if {[string index $var 0]=="." &&
         ($var!=".header" || ![wapp-param-exists showhdr])} continue
    wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
  }
  wapp "</pre>"
  wapp-unsafe "<p><a href='[wapp-param BASE_URL]/'>Home</a></p>\n"
  wapp-trim {<h1>Using &#37;string</h1>}
  wapp "<pre>\n"
  foreach var [lsort [wapp-param-list]] {
    if {[string index $var 0]=="." &&
         ($var!=".header" || ![wapp-param-exists showhdr])} continue
    wapp-subst {%html($var) = %string([list [wapp-param $var]])\n}
  }
  wapp "</pre>"
}
proc wapp-page-fullenv {} {
  wapp-set-cookie env-cookie full
  wapp "<h1>Wapp Full Environment</h1>\n"
  wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='var1'"
  if {[wapp-param-exists showhdr]} {

Changes to wapp.tcl.

99
100
101
102
103
104
105
106
107


108
109
110
111
112
113
114
115
116
117
118
119
...
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#    wappInt-enc-url            Escape text so that it is safe to pass as an
#                               argument to href= and src= attributes in HTML.
#
#    wappInt-enc-qp             Escape text so that it is safe to use as the
#                               value of a query parameter in a URL or in
#                               post data or in a cookie.
#
#    wappInt-enc-string         Escape ", ', and \ for using inside of a
#                               javascript string literal.


#
#    wappInt-enc-unsafe         Perform no encoding at all.  Unsafe.
#
proc wappInt-enc-html {txt} {
  return [string map {& &amp; < &lt; > &gt;} $txt]
}
proc wappInt-enc-unsafe {txt} {
  return $txt
}
proc wappInt-enc-url {s} {
  if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
    set s [subst -novar -noback $s]
................................................................................
  }
  if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} {
    set s [subst -novar -noback $s]
  }
  return $s
}
proc wappInt-enc-string {s} {
  return [string map {\\ \\\\ \" \\\" ' \\'} $s]
}

# This is a helper routine for wappInt-enc-url and wappInt-enc-qp.  It returns
# an appropriate %HH encoding for the single character c.  If c is a unicode
# character, then this routine might return multiple bytes:  %HH%HH%HH
#
proc wappInt-%HHchar {c} {







|
|
>
>




|







 







|







99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
...
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#    wappInt-enc-url            Escape text so that it is safe to pass as an
#                               argument to href= and src= attributes in HTML.
#
#    wappInt-enc-qp             Escape text so that it is safe to use as the
#                               value of a query parameter in a URL or in
#                               post data or in a cookie.
#
#    wappInt-enc-string         Escape ", ', \, and < for using inside of a
#                               javascript string literal.  The < character
#                               is escaped to prevent "</script>" from causing
#                               problems in embedded javascript.
#
#    wappInt-enc-unsafe         Perform no encoding at all.  Unsafe.
#
proc wappInt-enc-html {txt} {
  return [string map {& &amp; < &lt; > &gt; \" &quot; \\ &#92;} $txt]
}
proc wappInt-enc-unsafe {txt} {
  return $txt
}
proc wappInt-enc-url {s} {
  if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
    set s [subst -novar -noback $s]
................................................................................
  }
  if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} {
    set s [subst -novar -noback $s]
  }
  return $s
}
proc wappInt-enc-string {s} {
  return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s]
}

# This is a helper routine for wappInt-enc-url and wappInt-enc-qp.  It returns
# an appropriate %HH encoding for the single character c.  If c is a unicode
# character, then this routine might return multiple bytes:  %HH%HH%HH
#
proc wappInt-%HHchar {c} {