Escape the output to be HTML-safe.

author Florian Forster <octo@leeloo.(none)>

Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)

committer Florian Forster <octo@leeloo.(none)>

Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
author Florian Forster <octo@leeloo.(none)>
Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
committer Florian Forster <octo@leeloo.(none)>
Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
diff --git a/licom.cgi b/licom.cgi

index 70e1e72..f96349b 100755 (executable)
--- a/licom.cgi
+++ b/licom.cgi
@@ -23,6 +23,7 @@ use lib (qw(lib));
  use CGI (':cgi');
  use CGI::Carp (qw(fatalsToBrowser));
  use URI::Escape;
+use HTML::Entities (qw(encode_entities));
  use Data::Dumper;
  
  use LiCoM::Config (qw(get_config set_config read_config));
@@ -139,8 +140,11 @@ sub action_browse
                         my $group_esc  = uri_escape ($group_name);
                         my $desc = $group->description ();
  
-                       print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_esc">$group_name</a> ($members Member#, ($members == 1 ? ')' : 's)');
-                       print qq(<br />\n\t\t\t\t<span class="description">$desc</span>) if ($desc);
+                       print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_esc">#,
+                       encode_entities ($group_name),
+                       qq#</a> ($members Member#, ($members == 1 ? ')' : 's)');
+                       print qq(<br />\n\t\t\t\t<span class="description">),
+                       encode_entities ($desc) . '</span>' if ($desc);
                         print "</li>\n";
                 }
                 if (!@groups)
@@ -226,7 +230,7 @@ EOF
                 {
                         my $field = $_;
                         my @values = $person->get ($field);
-                       print "\t\t\t\t<td>" . join ('<br />', @values) . "</td>\n";
+                       print "\t\t\t\t<td>" . join ('<br />', map { encode_entities ($_) } (@values)) . "</td>\n";
                 }
  
                 print "\t\t\t</tr>\n";
@@ -250,22 +254,23 @@ sub action_detail
         $cn = shift if (@_);
         die unless ($cn);
  
+       my $cn_html = encode_entities ($cn);
+       my $cn_uri  = uri_escape ($cn);
+
         my $person = LiCoM::Person->load ($cn);
         if (!$person)
         {
-               print qq(\t<div>Entry &quot;$cn&quot; could not be loaded from DB.</div>\n);
+               print qq(\t<div>Entry &quot;$cn_html&quot; could not be loaded from DB.</div>\n);
                 return;
         }
  
-       print qq(\t\t<h2>Details for $cn</h2>\n);
-
-       my $cn_esc = uri_escape ($cn);
+       print qq(\t\t<h2>Details for $cn_html</h2>\n);
  
         print <<EOF;
                 <table class="detail">
                         <tr>
                                 <th>Name</th>
-                               <td>$cn</td>
+                               <td>$cn_html</td>
                         </tr>
  EOF
         for (@MultiFields)
@@ -273,38 +278,51 @@ EOF
                 my $field = $_;
                 my $values = $person->get ($field);
                 my $num = scalar (@$values);
-               my $print = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
+               my $field_name = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
  
                 next unless ($num);
  
+               $field_name = encode_entities ($field_name);
+
                 print "\t\t\t<tr>\n";
                 if ($num > 1)
                 {
-                       print qq(\t\t\t\t<th rowspan="$num">$print</th>\n);
+                       print qq(\t\t\t\t<th rowspan="$num">$field_name</th>\n);
                 }
                 else
                 {
-                       print qq(\t\t\t\t<th>$print</th>\n);
+                       print qq(\t\t\t\t<th>$field_name</th>\n);
                 }
  
                 for (my $i = 0; $i < $num; $i++)
                 {
                         my $val = $values->[$i];
+                       my $val_uri  = uri_escape ($val);
+                       my $val_html = encode_entities ($val);
  
                         if ($field eq 'group')
                         {
-                               my $val_esc = uri_escape ($val);
-                               $val = qq(<a href="$MySelf?action=browse&group=$val_esc">$val</a>);
+                               $val = qq(<a href="$MySelf?action=browse&group=$val_uri">$val_html</a>);
                         }
                         elsif ($field eq 'uri')
                         {
-                               my $uri = $val;
-                               $uri = qq(http://$val) unless ($val =~ m#^[a-z]+://#);
-                               $val = qq(<a href="$uri" class="extern">$val</a>);
+                               if ($val =~ m#^([a-z]+)://(.+)$#)
+                               {
+                                       $val_uri = $1 . '://' . uri_escape ($2);
+                               }
+                               else
+                               {
+                                       $val_uri = 'http://' . uri_escape ($val);
+                               }
+                               $val = qq(<a href="$val_uri" class="extern">$val_html</a>);
                         }
                         elsif ($field eq 'mail')
                         {
-                               $val = qq(<a href="mailto:$val" class="mail">$val</a>);
+                               $val = qq(<a href="mailto:$val_uri" class="mail">$val_html</a>);
+                       }
+                       else
+                       {
+                               $val = $val_html;
                         }
                         
                         print "\t\t\t<tr>\n" if ($i);
@@ -323,10 +341,11 @@ EOF
                 {
                         my $group = $groups[$i];
                         my $group_name = $group->name ();
-                       my $group_esc = uri_escape ($group_name);
+                       my $group_uri  = uri_escape ($group_name);
+                       my $group_html = encode_entities ($group_name);
  
                         print "\t\t\t<tr>\n" if ($i != 0);
-                       print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_esc">$group_name</a></td>\n),
+                       print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_uri">$group_html</a></td>\n),
                         "\t\t\t</tr>\n";
                 }
         }
@@ -335,10 +354,10 @@ EOF
                 </table>
  
                 <div class="menu">
-                       [<a href="$MySelf?action=verify&cn=$cn_esc">Verify</a>]
-                       [<a href="$MySelf?action=vcard&cn=$cn_esc">vCard</a>]
-                       [<a href="$MySelf?action=edit&cn=$cn_esc">Edit</a>]
-                       [<a href="$MySelf?action=delete&cn=$cn_esc">Delete</a>]
+                       [<a href="$MySelf?action=verify&cn=$cn_uri">Verify</a>]
+                       [<a href="$MySelf?action=vcard&cn=$cn_uri">vCard</a>]
+                       [<a href="$MySelf?action=edit&cn=$cn_uri">Edit</a>]
+                       [<a href="$MySelf?action=delete&cn=$cn_uri">Delete</a>]
                 </div>
  
  EOF
@@ -388,9 +407,10 @@ sub action_search
         {
                 my $person = $_;
                 my $cn = $person->name ();
-               my $cn_esc = uri_escape ($cn);
+               my $cn_uri  = uri_escape ($cn);
+               my $cn_html = encode_entities ($cn);
  
-               print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_esc">$cn</a></li>\n);
+               print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_uri">$cn_html</a></li>\n);
         }
         print qq(\t</ul>\n);
  }
@@ -404,6 +424,8 @@ sub action_edit
         $cn = $opts{'cn'} if (defined ($opts{'cn'}));
         $cn ||= '';
  
+       my $cn_html = encode_entities ($cn);
+
         if (!$UserID)
         {
                 $cn = $UserCN;
@@ -451,7 +473,7 @@ sub action_edit
  
         if ($cn)
         {
-               print "\t\t<h2>Edit contact $cn</h2>\n";
+               print "\t\t<h2>Edit contact $cn_html</h2>\n";
         }
         else
         {
@@ -461,7 +483,7 @@ sub action_edit
         print <<EOF;
                 <form action="$MySelf" method="post">
                 <input type="hidden" name="action" value="save" />
-               <input type="hidden" name="cn" value="$cn" />
+               <input type="hidden" name="cn" value="$cn_html" />
                 <table class="edit">
                         <tr>
                                 <th>Lastname</th>
@@ -499,10 +521,13 @@ EOF
                 next if ($field eq 'group');
  
                 push (@values, '');
+
+               $field = encode_entities ($field);
+               $print = encode_entities ($print);
                 
                 for (@values)
                 {
-                       my $value = $_;
+                       my $value = encode_entities ($_);
  
                         print <<EOF;
                         <tr>
@@ -526,7 +551,7 @@ EOF
                         for (@all_groups)
                         {
                                 my $group = $_;
-                               my $group_name = $group->name ();
+                               my $group_name = encode_entities ($group->name ());
                                 my $selected = '';
  
                                 if (grep { $cn eq $_ } ($group->get_members ()))
@@ -626,7 +651,8 @@ sub action_save
                 }
                 else
                 {
-                       print qq(\t<div class="error">Group &quot;$group_name&quot; does not exist or could not be loaded.</div>\n);
+                       my $group_html = encode_entities ($group_name);
+                       print qq(\t<div class="error">Group &quot;$group_html&quot; does not exist or could not be loaded.</div>\n);
                 }
         }
  
@@ -672,7 +698,10 @@ sub action_update
                 $person->firstname ($firstname) if ($firstname and $firstname ne $person->firstname ());
  
                 $cn = $person->name ();
-               # FIXME Fix groups
+               # FIXME Fix groups:
+               # Each group is one entry of type (objectClass=groupOfNames)
+               # with one or more `member' attributes. These attributes are
+               # the `dn' (distinguished name) of the member entries.
         }
  
         my $contacts = get_contacts ();
@@ -793,6 +822,8 @@ sub action_verify
         $cn = shift if (@_);
         die unless ($cn);
  
+       my $cn_html = encode_entities ($cn);
+
         my $person = LiCoM::Person->load ($cn);
         die unless ($person);
  
@@ -800,21 +831,24 @@ sub action_verify
         $mail ||= '';
  
         my $message;
-       my $password = $person->get ('password');
+       my ($password) = $person->get ('password');
+       my $password_html;
  
         if (!$password)
         {
                 $password = pwgen ();
-               $person->set ('password', $password);
+               $person->set ('password', [$password]);
         }
+       $password_html = encode_entities ($password);
  
-       $message = qq(The password for the record &quot;$cn&quot; is &quot;$password&quot;.);
+       $message = qq(The password for the record &quot;$cn_html&quot; is &quot;$password_html&quot;.);
  
         if ($mail)
         {
                 if (action_verify_send_mail ($person))
                 {
-                       $message .= qq( A request for verification has been sent to $mail.);
+                       my $mail_html = encode_entities ($mail);
+                       $message .= qq( A request for verification has been sent to $mail_html.);
                 }
         }
         else
@@ -836,8 +870,8 @@ sub action_verify_send_mail
         my ($owner_mail) = $owner->get ('mail');
         if (!$owner_mail)
         {
-               my $cn = uri_escape ($UserCN);
-               print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn">Edit it now</a>!</div>\n);
+               my $cn_uri = uri_escape ($UserCN);
+               print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn_uri">Edit it now</a>!</div>\n);
                 return (0);
         }
  
@@ -848,15 +882,15 @@ sub action_verify_send_mail
         }
         $max_width++;
  
-       my $person_name = $person->name ();
+       my $person_name   = $person->name ();
         my ($person_mail) = $person->get ('mail');
-       my $person_gn = $person->firstname ();
-       my $password = $person->get ('password');
+       my $person_gn     = $person->firstname ();
+       my ($password)    = $person->get ('password');
  
         my $host = $ENV{'HTTP_HOST'};
         my $url = (defined ($ENV{'HTTPS'}) ? 'https://' : 'http://') . $host . $MySelf;
         
-       open ($smh, "| /usr/sbin/sendmail -t -f $owner_mail") or die ("open pipe to sendmail: $!");
+       open ($smh, '|-', '/usr/sbin/sendmail', '-t', '-f', $owner_mail) or die ("open (sendmail): $!");
         print $smh <<EOM;
  To: $person_name <$person_mail>
  From: $UserCN <$owner_mail>
@@ -905,19 +939,20 @@ sub action_ask_del
         my $person = LiCoM::Person->load ($cn);
         $person or die;
  
-       my $cn_esc = uri_escape ($cn);
+       my $cn_uri  = uri_escape ($cn);
+       my $cn_html = encode_entities ($cn);
  
         print <<EOF;
-               <h2>Really delete $cn?</h2>
+               <h2>Really delete $cn_html?</h2>
  
                 <div>
-                       You are about to delete <strong>$cn</strong>. Are you
-                       totally, absolutely sure you want to do this?
+                       You are about to delete <strong>$cn_html</strong>.
+                       Are you totally, absolutely sure you want to do this?
                 </div>
  
                 <div class="menu">
-                       [<a href="$MySelf?action=expunge&cn=$cn_esc">Yes, delete</a>]
-                       [<a href="$MySelf?action=detail&cn=$cn_esc">No, keep</a>]
+                       [<a href="$MySelf?action=expunge&cn=$cn_uri">Yes, delete</a>]
+                       [<a href="$MySelf?action=detail&cn=$cn_uri">No, keep</a>]
                 </div>
  
  EOF
@@ -928,13 +963,15 @@ sub action_do_del
         my $cn = param ('cn');
         $cn or die;
  
+       my $cn_html = encode_entities ($cn);
+
         my $person = LiCoM::Person->load ($cn);
         $person or die;
  
         $person->delete ();
  
         print <<EOF;
-               <div>$cn has been deleted.</div>
+               <div>$cn_html has been deleted.</div>
  
  EOF
         action_browse ();
@@ -945,6 +982,8 @@ sub html_start
         my $title = shift;
         $title = q(Lightweight Contact Manager) unless ($title);
  
+       $title = encode_entities ($title);
+
         print <<EOF;
  Content-Type: text/html; charset=UTF-8
  
@@ -1160,6 +1199,7 @@ EOF
         if ($UserID)
         {
                 my $search = param ('search') || '';
+               $search = encode_entities ($search);
                 print <<EOF;
                 <div class="topmenu">
                         <form action="$MySelf" method="post">
author	Florian Forster <octo@leeloo.(none)>
	Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)
committer	Florian Forster <octo@leeloo.(none)>
	Sun, 11 Jun 2006 14:23:44 +0000 (16:23 +0200)