slashcode-development

[Slashcode-development] Slash & Bender bug

[Alessio B. <al...@al...>]

There is a problem in Slash if an admin has an aid including spaces or
other "unsafe" characters: the link 'Also by' is constructed blindly
from the aid without escaping those chars, preventing the search to work
properly.

in admin.pl:

sub otherLinks {
	my $aid = shift;
	my $tid = shift;

	my $T = getTopic($tid);

	return <<EOT;
<LI><A HREF="$I{rootdir}/search.pl?topic=$tid">More on
$T->{alttext}</A></LI>
<LI><A HREF="$I{rootdir}/search.pl?author=$aid">Also by $aid</A></LI>
EOT

should be something like

sub otherLinks {
	my $aid = shift;
	my $esc_aid = $I{query}->escape($aid);
	my $tid = shift;

	my $T = getTopic($tid);

	return <<EOT;
<LI><A HREF="$I{rootdir}/search.pl?topic=$tid">More on
$T->{alttext}</A></LI>
<LI><A HREF="$I{rootdir}/search.pl?author=$esc_aid">Also by
$aid</A></LI>
EOT

This has been ported to Bender:

plugins/Slash-Admin/dump:11:INSERT INTO templates VALUES
('','otherLinks','admin','default','eng','<LI><A HREF=\"[%
constants.rootdir %]/search.pl?topic=[% tid
%]\">More on [% topic.alttext %]</A></LI>\r\n<LI><A HREF=\"[%
constants.rootdir
%]/search.pl?author=[% aid %]\">Also by [% aid
%]</A></LI>',500,'',NULL);   


Hope it helps
    
-- 
Alessio F. Bragadini		al...@al...
APL Financial Services		http://village.albourne.com
Nicosia, Cyprus		 	phone: +357-2-755750

"It is more complicated than you think"
		-- The Eighth Networking Truth from RFC 1925

Re: [Slashcode-development] Slash & Bender bug

[Patrick G. <cap...@sl...>]

Alessio Bragadini wrote:
> 
> There is a problem in Slash if an admin has an aid including spaces or
> other "unsafe" characters: the link 'Also by' is constructed blindly
> from the aid without escaping those chars, preventing the search to work
> properly.
> 
> in admin.pl:
> 
> sub otherLinks {
>         my $aid = shift;
>         my $tid = shift;
> 
>         my $T = getTopic($tid);
> 
>         return <<EOT;
> <LI><A HREF="$I{rootdir}/search.pl?topic=$tid">More on
> $T->{alttext}</A></LI>
> <LI><A HREF="$I{rootdir}/search.pl?author=$aid">Also by $aid</A></LI>
> EOT
> 
> should be something like
> 
> sub otherLinks {
>         my $aid = shift;
>         my $esc_aid = $I{query}->escape($aid);
>         my $tid = shift;
> 
>         my $T = getTopic($tid);
> 
>         return <<EOT;
> <LI><A HREF="$I{rootdir}/search.pl?topic=$tid">More on
> $T->{alttext}</A></LI>
> <LI><A HREF="$I{rootdir}/search.pl?author=$esc_aid">Also by
> $aid</A></LI>
> EOT
> 
> This has been ported to Bender:
> 
> plugins/Slash-Admin/dump:11:INSERT INTO templates VALUES
> ('','otherLinks','admin','default','eng','<LI><A HREF=\"[%
> constants.rootdir %]/search.pl?topic=[% tid
> %]\">More on [% topic.alttext %]</A></LI>\r\n<LI><A HREF=\"[%
> constants.rootdir
> %]/search.pl?author=[% aid %]\">Also by [% aid
> %]</A></LI>',500,'',NULL);
> 

Thanks, 

this can be a quick fix to main and bender by filtering the aid.


> Hope it helps
> 
> --
> Alessio F. Bragadini            al...@al...
> APL Financial Services          http://village.albourne.com
> Nicosia, Cyprus                 phone: +357-2-755750
> 
> "It is more complicated than you think"
>                 -- The Eighth Networking Truth from RFC 1925
> 
> _______________________________________________
> Slashcode-development mailing list
> Sla...@li...
> http://lists.sourceforge.net/mailman/listinfo/slashcode-development

-- 
Patrick Galbraith		Open Source Development Network
Senior Software Developer	50 Nagog Park
Slash Code Development Team	Acton, MA 01720

"Energy and Persistence conquer all things".
Benjamin Franklin

[Slashcode-development] Re: [Slashcode] Slash & Bender bug

[Chris N. <pu...@po...>]

At 16:45 +0200 2001.01.02, Alessio Bragadini wrote:
>This has been ported to Bender:
>
>plugins/Slash-Admin/dump:11:INSERT INTO templates VALUES
>('','otherLinks','admin','default','eng','<LI><A HREF=\"[%
>constants.rootdir %]/search.pl?topic=[% tid
>%]\">More on [% topic.alttext %]</A></LI>\r\n<LI><A HREF=\"[%
>constants.rootdir
>%]/search.pl?author=[% aid %]\">Also by [% aid
>%]</A></LI>',500,'',NULL);

In bender, to escape data in a URL parameter, use fixparam.  For example:

	[% FILTER fixparam; aid; END %]

Or in Perl:

	fixparam($aid)

Similarly, for TEXTAREA contents always use "strip_literal", for form
elements (INPUT VALUE="...") always use "strip_attribute".  This is all
documented in the Slash::Utility manpage, and in the Slash::Display manpage.

It is better to not pre-filter variables before passing them to a template.
i.e., for awhile we were doing:

	slashDisplay('template', {
		aid_param => fixparam($aid),
		aid_form  => strip_attribute($aid),
	});

We've instead been moving toward passing plain variables, and leaving it to
the template to fix them with the proper filter.

-- 
Chris Nandor                      pu...@po...    http://pudge.net/
Open Source Development Network    pu...@os...     http://osdn.com/