[Codestriker-commits] CVS update: codestriker/lib/Codestriker/Http Response.pm

[<si...@us...>]

  Created Codestriker topic at:
  http://codestriker.sourceforge.net/cgi-bin/codestriker.pl?topic=2904007&action=view

  User: sits    
  Date: 05/10/05 00:56:10

  Modified:    .        CHANGELOG
               html     codestriker.js
               lib      Codestriker.pm
               lib/Codestriker/Http Response.pm
  Log:
  * Comments containing '+' characters were changed into ' ' characters
    when posted via AJAX.  Other potentially damaging characters are now
    escaped.
  
  * Comments with '\' characters are now displayed correctly in all
    cases within the tooltip window.
  
  
  
  Index: CHANGELOG
  ===================================================================
  RCS file: /cvsroot/codestriker/codestriker/CHANGELOG,v
  retrieving revision 1.175
  retrieving revision 1.176
  diff -u -r1.175 -r1.176
  --- CHANGELOG	11 Aug 2005 12:04:55 -0000	1.175
  +++ CHANGELOG	5 Oct 2005 07:56:09 -0000	1.176
  @@ -1,6 +1,15 @@
   *** When upgrading, don't forget to: "cd bin ; ./install.pl" ***
   *** Also, it is _highly_ advisable to backup your data before upgrading ***
   
  +Version 1.9.2
  +
  +* Comments containing '+' characters were changed into ' ' characters
  +  when posted via AJAX.  Other potentially damaging characters are now
  +  escaped.
  +
  +* Comments with '\' characters are now displayed correctly in all
  +  cases within the tooltip window.
  +
   Version 1.9.1
   
   * Correct problem introduced in 1.9.0 release where the email address
  
  
  
  
  
  Index: codestriker.js
  ===================================================================
  RCS file: /cvsroot/codestriker/codestriker/html/codestriker.js,v
  retrieving revision 1.13
  retrieving revision 1.14
  diff -u -r1.13 -r1.14
  --- codestriker.js	11 Aug 2005 12:04:55 -0000	1.13
  +++ codestriker.js	5 Oct 2005 07:56:09 -0000	1.14
  @@ -23,6 +23,22 @@
       windowHandle.focus();
   }
   
  +// Function for escaping value to be URL safe.  Also
  +// make sure that potentially damaging punctuation
  +// is escaped.  For example, a '+' character will be
  +// interpreted as a space character when it is put into a URL.
  +function extra_escape(value)
  +{
  +    value = escape(value);
  +    value = value.replace(/\//g, "%2F");
  +    value = value.replace(/\?/g, "%3F");
  +    value = value.replace(/\=/g, "%3D");
  +    value = value.replace(/\+/g, "%2B");
  +    value = value.replace(/\&/g, "%26");
  +    value = value.replace(/\@/g, "%40");
  +    return value;
  +}
  +
   // Retrieve the value of a cookie by name.
   function getCookie(name)
   {
  @@ -249,7 +265,7 @@
       // cookie, so that it is remembered for the next add comment tooltip.
       var cookie = getCookie('codestriker_cookie');
       cs_email = comment_form.email.value;
  -    var email_value = escape(cs_email);
  +    var email_value = extra_escape(cs_email);
       if (cookie == null || cookie == '') {
           cookie = 'email&' + email_value;
       }
  @@ -266,20 +282,20 @@
       // request as an XMLHttpRequest, and return false so the browser
       // does nothing else.
       var params = 'action=submit_comment';
  -    params += '&line=' + escape(comment_form.line.value);
  -    params += '&topic=' + escape(comment_form.topic.value);
  -    params += '&fn=' + escape(comment_form.fn.value);
  -    params += '&new=' + escape(comment_form.newval.value);
  -    params += '&comments=' + escape(comment_form.comments.value);
  -    params += '&email=' + escape(comment_form.email.value);
  -    params += '&comment_cc=' + escape(comment_form.comment_cc.value);
  +    params += '&line=' + extra_escape(comment_form.line.value);
  +    params += '&topic=' + extra_escape(comment_form.topic.value);
  +    params += '&fn=' + extra_escape(comment_form.fn.value);
  +    params += '&new=' + extra_escape(comment_form.newval.value);
  +    params += '&comments=' + extra_escape(comment_form.comments.value);
  +    params += '&email=' + extra_escape(comment_form.email.value);
  +    params += '&comment_cc=' + extra_escape(comment_form.comment_cc.value);
       params += '&format=xml';
       
       for (var i = 0; i < top.cs_metric_data.length; i++) {
           var comment_param =
  -            escape('comment_state_metric_' + top.cs_metric_data[i].name);
  +            extra_escape('comment_state_metric_' + top.cs_metric_data[i].name);
           params += '&' + comment_param + '=' +
  -                  escape(eval('comment_form.' + comment_param + '.value'));
  +                  extra_escape(eval('comment_form.' + comment_param + '.value'));
       }
   
       setStatusText('Submitting comment...');
  
  
  
  
  
  Index: Codestriker.pm
  ===================================================================
  RCS file: /cvsroot/codestriker/codestriker/lib/Codestriker.pm,v
  retrieving revision 1.79
  retrieving revision 1.80
  diff -u -r1.79 -r1.80
  --- Codestriker.pm	11 Aug 2005 12:04:55 -0000	1.79
  +++ Codestriker.pm	5 Oct 2005 07:56:10 -0000	1.80
  @@ -27,7 +27,7 @@
   	      );
   
   # Version of Codestriker.
  -$Codestriker::VERSION = "1.9.1";
  +$Codestriker::VERSION = "1.9.2";
   
   # Default title to display on each Codestriker screen.
   $Codestriker::title = "Codestriker $Codestriker::VERSION";
  
  
  
  
  
  Index: Response.pm
  ===================================================================
  RCS file: /cvsroot/codestriker/codestriker/lib/Codestriker/Http/Response.pm,v
  retrieving revision 1.34
  retrieving revision 1.35
  diff -u -r1.34 -r1.35
  --- Response.pm	7 Jun 2005 22:51:46 -0000	1.34
  +++ Response.pm	5 Oct 2005 07:56:10 -0000	1.35
  @@ -385,6 +385,7 @@
   
   	    # Need to format the data appropriately for HTML display.
   	    my $data = HTML::Entities::encode($comment->{data});
  +	    $data =~ s/\\/\\\\/mgo;
   	    $data =~ s/\'/\\\'/mgo;
   	    $data =~ s/\n/<br>/mgo;
   	    $data =~ s/ \s+/'&nbsp;' x (length($&)-1)/emgo;