This is the mail archive of the
gnats-devel@sources.redhat.com
mailing list for the GNATS project.
HTML-escape patch for Gnatsweb 2.7 beta
- To: gnats-devel at sources dot redhat dot com
- Subject: HTML-escape patch for Gnatsweb 2.7 beta
- From: Yngve Svendsen <yngve dot svendsen at clustra dot com>
- Date: Fri, 20 Apr 2001 10:59:21 +0200
The following patch for Gnatsweb 2.7 beta ensures that everything displayed
on the query results page is properly HTML escaped. Previously, the query
results display could become badly messed up if HTML tags, or indeed
anything containing the symbols < and >, were included in the
subject/synopsis or in other PR fields. This patch ensures that everything
printed on the query results page has been passed through the escapeHTML
method of CGI.pm.
Yngve Svendsen
IS Engineer
Clustra AS, Trondheim, Norway
yngve.svendsen@clustra.com
*** gnatsweb-2.7beta/gnatsweb.pl Fri Apr 20 10:40:32 2001
--- gnatsweb.pl Fri Apr 20 10:34:40 2001
***************
*** 1658,1683 ****
"\"><font size=-1>edit</font></a>"
if can_edit();
print "</td>";
! print "<td nowrap>$cat</td>" if $vis{'category'};
! print "<td nowrap>$conf</td>" if $vis{'confidential'};
! print "<td nowrap>$state[$state]</td>" if $vis{'state'};
! print "<td nowrap>$class[$class]</td>" if $vis{'class'};
! print "<td nowrap>$severity[$sev]</td>" if $vis{'severity'};
! print "<td nowrap>$priority[$pri]</td>" if $vis{'priority'};
! print "<td nowrap>", nonempty($release), "</td>" if $vis{'release'};
! print "<td nowrap>", nonempty($quarter), "</td>" if($site_release_based
! && $vis{'quarter'});
! print "<td>", nonempty($keywords), "</td>" if($site_release_based
! && $vis{'keywords'});
! print "<td nowrap>$resp</td>" if $vis{'responsible'};
! print "<td nowrap>", nonempty($sub), "</td>" if $vis{'submitter_id'};
! print "<td nowrap>", nonempty($orig), "</td>" if $vis{'originator'};
! print "<td nowrap>$arrival</td>" if $vis{'arrival_date'};
! print "<td nowrap>", nonempty($daterequired), "</td>"
! if($site_release_based && $vis{'date_required'});
! print "<td nowrap>",nonempty($lastmoddate),"</td>" if
$vis{'last_modified'};
! print "<td nowrap>",nonempty($closeddate),"</td>" if $vis{'closed_date'};
! print "<td>$syn</td>" if $vis{'synopsis'};
print "</tr>\n";
}
print "</table>\n";
--- 1658,1685 ----
"\"><font size=-1>edit</font></a>"
if can_edit();
print "</td>";
!
! print $q->td({nowrap}, $q->escapeHTML($cat)) if $vis{'category'};
! print $q->td({nowrap}, $q->escapeHTML($conf)) if $vis{'confidential'};
! print $q->td({nowrap}, $q->escapeHTML($state[$state])) if $vis{'state'};
! print $q->td({nowrap}, $q->escapeHTML($class[$class])) if $vis{'class'};
! print $q->td({nowrap}, $q->escapeHTML($severity[$sev])) if
$vis{'severity'};
! print $q->td({nowrap}, $q->escapeHTML($priority[$pri])) if
$vis{'priority'};
! print $q->td({nowrap}, nonempty($q->escapeHTML($release))) if
$vis{'release'};
! print $q->td({nowrap}, nonempty($q->escapeHTML($quarter)))
if($site_release_based
! &&
$vis{'quarter'});
! print $q->td({nowrap}, nonempty($q->escapeHTML($keywords)))
if($site_release_based
! &&
$vis{'keywords'});
! print $q->td({nowrap}, $q->escapeHTML($resp)) if $vis{'responsible'};
! print $q->td({nowrap}, nonempty($q->escapeHTML($sub))) if
$vis{'submitter_id'};
! print $q->td({nowrap}, nonempty($q->escapeHTML($orig))) if
$vis{'originator'};
! print $q->td({nowrap}, $q->escapeHTML($arrival)) if $vis{'arrival_date'};
! print $q->td({nowrap}, nonempty($q->escapeHTML($daterequired)))
if($site_release_based
! &&
$vis{'date_required'});
! print $q->td({nowrap}, $q->nonempty(escapeHTML($lastmoddate))) if
$vis{'last_modified'};
! print $q->td({nowrap}, $q->nonempty(escapeHTML($closeddate))) if
$vis{'closed_date'};
! print $q->td({nowrap}, $q->escapeHTML($syn)) if $vis{'synopsis'};
!
print "</tr>\n";
}
print "</table>\n";