From: <de...@de...> - 2011-06-14 03:59:53
|
Author: PeterThoeny Date: 2011-06-13 22:59:46 -0500 (Mon, 13 Jun 2011) New Revision: 21500 Trac url: http://develop.twiki.org/trac/changeset/21500 Modified: twiki/branches/TWikiRelease05x00/core/data/TWiki/VarENCODE.txt twiki/branches/TWikiRelease05x00/core/data/TWiki/VarFORMFIELD.txt twiki/branches/TWikiRelease05x00/core/data/TWiki/VarURLPARAM.txt Log: Item6750: Encode also space in encode="html" to preserve TML in HTML input fields, for ENCODE, URLPARAM and FORMFIELD - updating docs Modified: twiki/branches/TWikiRelease05x00/core/data/TWiki/VarENCODE.txt =================================================================== --- twiki/branches/TWikiRelease05x00/core/data/TWiki/VarENCODE.txt 2011-06-14 03:57:45 UTC (rev 21499) +++ twiki/branches/TWikiRelease05x00/core/data/TWiki/VarENCODE.txt 2011-06-14 03:59:46 UTC (rev 21500) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1267946812" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1308022908" format="1.1" version="$Rev$"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarENCODE ---+++ ENCODE{"string"} -- encodes a string to HTML entities @@ -14,12 +14,12 @@ | =type="quotes"= | Escape double quotes with backslashes (=\"=), does not change other characters. This type does not protect against cross-site scripting. | =type="url"= | | =type="moderate"= | Encode special characters into HTML entities for moderate cross-site scripting protection: ="<"=, =">"=, single quote (='=) and double quote (="=) are encoded. Useful to allow TWiki variables in comment boxes. | =type="url"= | | =type="safe"= | Encode special characters into HTML entities for cross-site scripting protection: ="<"=, =">"=, ="%"=, single quote (='=) and double quote (="=) are encoded. | =type="url"= | - | =type="entity"= | Encode special characters into HTML entities, like a double quote into =&#034;=. Does *not* encode newline (=\n=) or linefeed (=\r=). Useful to encode text properly in HTML input fields. | =type="url"= | - | =type="html"= | As =type="entity"= except it also encodes =\n= and =\r= | =type="url"= | + | =type="entity"= | Encode special characters into HTML entities, like a double quote into =&#034;=. Does *not* encode newline (=\n=) or linefeed (=\r=). | =type="url"= | + | =type="html"= | Encode special characters into HTML entities. In addition to =type="entity"=, it also encodes space, =\n= and =\r=. Useful to encode text properly in HTML input fields. | =type="url"= | * Example: =%<nop>ENCODE{"spaced name"}%= expands to =%ENCODE{"spaced name"}%= * __%X% Notes:__ - * Values of HTML input fields must be entity encoded.%BR% Example: =<input type="text" name="address" value="%<nop>ENCODE{ "any text" type="entity" }%" />= + * Values of HTML input fields should encoded as ="html"=.%BR% Example: =<input type="text" name="address" value="%<nop>ENCODE{ "any text" type="html" }%" />= * Double quotes in strings must be escaped when passed into other TWiki variables.%BR% Example: =%<nop>SEARCH{ "%<nop>ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%= * Use =type="moderate"=, =type="safe"= or =type="entity"= to protect user input from URL parameters and external sources against [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-site scripting]] (XSS). =type="entity"= is the safest mode, but some TWiki applications might not work. =type="safe"= provides a safe middle ground, =type="moderate"= provides only moderate cross-site scripting protection. - * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarURLPARAM][URLPARAM]] + * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarFORMFIELD][FORMFIELD]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarQUERYPARAMS][QUERYPARAMS]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarURLPARAM][URLPARAM]] Modified: twiki/branches/TWikiRelease05x00/core/data/TWiki/VarFORMFIELD.txt =================================================================== --- twiki/branches/TWikiRelease05x00/core/data/TWiki/VarFORMFIELD.txt 2011-06-14 03:57:45 UTC (rev 21499) +++ twiki/branches/TWikiRelease05x00/core/data/TWiki/VarFORMFIELD.txt 2011-06-14 03:59:46 UTC (rev 21500) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1294556032" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1308022908" format="1.1" version="$Rev$"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarFORMFIELD ---+++ FORMFIELD{"fieldname"} -- renders a field in the form attached to some topic @@ -10,5 +10,8 @@ | =format="..."= | Format string. Variable =$value= expands to the field value, =$title= to the raw field name, =$name= to the field name, =$attributes= to the attributes, =$type= to the form field type, =$size= to the size, and =$definingTopic= to the form definition topic. | ="$value"= | | =default="..."= | Text shown when no value is defined for the field | =""= | | =alttext="..."= | Text shown when field is not found in the form | =""= | + | =newline="$br"= | Convert newlines in textarea to other delimiters. Variable =$br= expands to =<br />= tag, and =$n= to a newline. Other text is encoded based on =encode= parameter. | no conversion | + | =encode="html"= | Encode special characters into HTML entities. If a FORMFIELD is passed into an HTML form field it should be encoded as ="html"=. Additional encodings available: =encode="quote"=, =encode="moderate"=, =encode="safe"=, =encode="entity"= and =encode="url"=. See [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]] for details. | =""= (no encoding) | * Example: =%<nop>FORMFIELD{"<nop>ProjectName" topic="Projects.<nop>SushiProject" default="(not set)" alttext="<nop>ProjectName field not found"}%= - * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarMETASEARCH][METASEARCH]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarSEARCH][SEARCH]], FormattedSearch, QuerySearch, SearchHelp + * Example: =<input type="text" name="Address" value="%<nop>FORMFIELD{ "Address" encode="html" }%" />= + * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarMETASEARCH][METASEARCH]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarSEARCH][SEARCH]], FormattedSearch, QuerySearch, SearchHelp Modified: twiki/branches/TWikiRelease05x00/core/data/TWiki/VarURLPARAM.txt =================================================================== --- twiki/branches/TWikiRelease05x00/core/data/TWiki/VarURLPARAM.txt 2011-06-14 03:57:45 UTC (rev 21499) +++ twiki/branches/TWikiRelease05x00/core/data/TWiki/VarURLPARAM.txt 2011-06-14 03:59:46 UTC (rev 21500) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1269044131" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1308022908" format="1.1" version="$Rev$"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarURLPARAM ---+++ URLPARAM{"name"} -- get value of a URL parameter @@ -7,21 +7,22 @@ * Supported parameters: | *Parameter:* | *Description:* | *Default:* | | ="name"= | The name of a URL parameter | required | - | =default="..."= | Default value in case parameter is empty or missing | empty string | | =newline="$br"= | Convert newlines in textarea to other delimiters. Variables =$br= (for =<br />= tag), =$n= (for newline) are expanded. Other text is encoded based on =encode= parameter. | no conversion | | =encode="off"= | Turn off encoding. See important security note below | =encode="safe"= | | =encode="quote"= | Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other TWiki variables. This encoding does not protect against cross-site scripting. | =encode="safe"= | | =encode="moderate"= | Encode special characters into HTML entities for moderate cross-site scripting protection: ="<"=, =">"=, single quote (='=) and double quote (="=) are encoded. Useful to allow TWiki variables in comment boxes. | =encode="safe"= | | =encode="safe"= | Encode special characters into HTML entities for cross-site scripting protection: ="<"=, =">"=, ="%"=, single quote (='=) and double quote (="=) are encoded. | (this is the default) | - | =encode="entity"= | Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]] for more details. | =encode="safe"= | - | =encode="html"= | As =encode="entity"= except it also encodes newline (=\n=) and linefeed (=\r=) | =encode="safe"= | + | =encode="entity"= | Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]] for details. | =encode="safe"= | + | =encode="html"= | Encode special characters into HTML entities. In addition to =encode="entity"=, it also encodes space, newline (=\n=) and linefeed (=\r=). Useful to encode text properly in HTML input fields. | =encode="safe"= | | =encode="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | =encode="safe"= | | =multiple="on"= %BR% =multiple="[<nop>[$item]]"= | If set, gets all selected elements of a =<select multiple="multiple">= tag. A format can be specified, with =$item= indicating the element, e.g. =multiple="Option: $item"= | first element | | =separator=", "= | Separator between multiple selections. Only relevant if multiple is specified | ="\n"= (newline) | + | =format="..."= | Format the result. =$value= expands to the URL parameter. If multiple is specified, =$value= expands to the result of the concatenated items. | ="$value"= | + | =default="..."= | Default value in case parameter is empty or missing. The format parameter is not applied. | empty string | * Example: =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%INCLUDINGTOPIC%?skin=print= URL * __%X% Notes:__ * *IMPORTANT:* There is a risk that this variable can be misused for [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-site scripting]] (XSS) if the encoding is turned off. The =encode="safe"= is the default, it provides a safe middle ground. The =encode="entity"= is more aggressive, but some TWiki applications might not work. - * URL parameters passed into HTML form fields must be entity [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODEd]].%BR% Example: =<input type="text" name="address" value="%<nop>URLPARAM{ "address" encode="entity" }%" />= + * URL parameters passed into HTML form fields should be [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][encoded]] as ="html"=. %BR% Example: =<input type="text" name="address" value="%<nop>URLPARAM{ "address" encode="html" }%" />= * Double quotes in URL parameters must be escaped when passed into other TWiki variables.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quotes" }%" noheader="on" }%= * When used in a template topic, this variable will be expanded when the template is used to create a new topic. See TWikiTemplates#TemplateTopicsVars for details. * Watch out for TWiki internal parameters, such as =rev=, =skin=, =template=, =topic=, =web=; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at TWikiScripts. |