Ignore:
Timestamp:
07/27/10 13:56:39 (14 years ago)
Author:
Kris Deugau
Message:

/branches/htmlform

Escape forwarded form data with $q->escapeHTML on most forms in
main.cgi (see #15)
Fix up most subs in IPDB.pm that deal with form data that needs
escaping (see #34)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/htmlform/cgi-bin/main.cgi

    r447 r448  
    825825  $html =~ s|\$\$ALLOC_FROM\$\$|$alloc_from|g;
    826826  $html =~ s|\$\$CIDR\$\$|$cidr|g;
    827   $webvar{city} = desanitize($webvar{city});
     827  $webvar{city} = $q->escapeHTML($webvar{city});
    828828  $html =~ s|\$\$CITY\$\$|$webvar{city}|g;
    829829  $html =~ s|\$\$CUSTID\$\$|$webvar{custid}|g;
    830   $webvar{circid} = desanitize($webvar{circid});
     830  $webvar{circid} = $q->escapeHTML($webvar{circid});
    831831  $html =~ s|\$\$CIRCID\$\$|$webvar{circid}|g;
    832   $webvar{desc} = desanitize($webvar{desc});
     832  $webvar{desc} = $q->escapeHTML($webvar{desc});
    833833  $html =~ s|\$\$DESC\$\$|$webvar{desc}|g;
    834   $webvar{notes} = desanitize($webvar{notes});
     834  $webvar{notes} = $q->escapeHTML($webvar{notes});
    835835  $html =~ s|\$\$NOTES\$\$|$webvar{notes}|g;
    836836  $html =~ s|\$\$ACTION\$\$|insert|g;
     
    841841  if ($IPDBacl{$authuser} =~ /s/) {
    842842    $privdata = qq(<tr class="color).($i%2).qq("><td>Restricted data:</td>).
    843         qq(<td class=regular>$webvar{privdata}).
    844         qq(<input type=hidden name=privdata value="$webvar{privdata}"></td></tr>\n);
     843        "<td class=regular>".$q->escapeHTML($webvar{privdata}).
     844        qq(<input type=hidden name=privdata value=").$q->escapeHTML($webvar{privdata}).
     845        qq("></td></tr>\n);
    845846    $i++;
    846847  }
     
    11801181    # Relatively simple SQL transaction here.
    11811182    my $sql;
     1183##fixme:  SQL parameters (#34)
     1184# need to make sure we log roughly the same info
    11821185    if (my $pooltype = ($webvar{alloctype} =~ /^(.)i$/) ) {
    11831186      $sql = "update poolips set custid='$webvar{custid}',notes='$webvar{notes}',".
     
    12441247my $swiptmp = ($webvar{swip} eq 'on' ? 'Yes' : 'No');
    12451248  $html =~ s/\$\$BLOCK\$\$/$webvar{block}/g;
    1246   $webvar{city} = desanitize($webvar{city});
     1249  $webvar{city} = $q->escapeHTML($webvar{city});
    12471250  $html =~ s/\$\$CITY\$\$/$webvar{city}/g;
    12481251  $html =~ s/\$\$ALLOCTYPE\$\$/$webvar{alloctype}/g;
     
    12501253  $html =~ s/\$\$CUSTID\$\$/$webvar{custid}/g;
    12511254  $html =~ s/\$\$SWIP\$\$/$swiptmp/g;
    1252   $webvar{circid} = desanitize($webvar{circid});
     1255  $webvar{circid} = $q->escapeHTML($webvar{circid});
    12531256  $html =~ s/\$\$CIRCID\$\$/$webvar{circid}/g;
    1254   $webvar{desc} = desanitize($webvar{desc});
     1257  $webvar{desc} = $q->escapeHTML($webvar{desc});
    12551258  $html =~ s/\$\$DESC\$\$/$webvar{desc}/g;
    1256   $webvar{notes} = desanitize($webvar{notes});
     1259  $webvar{notes} = $q->escapeHTML($webvar{notes});
    12571260  $html =~ s/\$\$NOTES\$\$/$webvar{notes}/g;
    12581261  $html =~ s/\$\$BACKLINK\$\$/$backlink/g;
     
    12611264  if ($IPDBacl{$authuser} =~ /s/) {
    12621265    $privdata = qq(<tr class="color2"><td valign="top">Restricted data:</td>).
    1263         qq(<td class="regular">).desanitize($webvar{privdata}).qq(</td></tr>\n);
     1266        qq(<td class="regular">).$q->escapeHTML($webvar{privdata}).qq(</td></tr>\n);
    12641267  }
    12651268  $html =~ s/\$\$PRIVDATA\$\$/$privdata/g;
Note: See TracChangeset for help on using the changeset viewer.