mhonarc-commits
[Top] [All Lists]
<prev [Date] next>
[Advanced]

CVS: mhonarc/MHonArc/lib mhexternal.pl,2.10,2.11

2002-09-24 20:55:50
from [Earl Hood <earl(_at_)earlhood(_dot_)com>] [Permanent Link] 
Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv15913

Modified Files:
	mhexternal.pl 
Log Message:
* Make sure to htmlize name parameter to avoid any potential XSS.
* Will display subject of a message for a message attachment link.
* Removed private htmlize routine and replaced with calls to mhonarc's.


Index: mhexternal.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhexternal.pl,v
retrieving revision 2.10
retrieving revision 2.11
diff -C2 -r2.10 -r2.11
*** mhexternal.pl	6 Oct 2001 14:02:38 -0000	2.10
--- mhexternal.pl	25 Sep 2002 03:55:44 -0000	2.11
***************
*** 158,162 ****
      ## Check if content is excluded based on filename extension
      if ($excexts && index($excexts, ",$dispext,") >= $[) {
!       return (qq|<p><tt>&lt&lt;attachment: $nameparm&gt;&gt;</tt></p>\n|);
      }
  
--- 158,164 ----
      ## Check if content is excluded based on filename extension
      if ($excexts && index($excexts, ",$dispext,") >= $[) {
!       return (qq|<p><tt>&lt&lt;attachment: |.
! 	      mhonarc::htmlize($nameparm).
! 	      qq|&gt;&gt;</tt></p>\n|);
      }
  
***************
*** 215,219 ****
      ## Create HTML markup
      if ($inline) {
! 	$ret  = "<p>".htmlize($fields->{'content-description'}[0])."</p>\n"
  	    if (defined $fields{'content-description'});
  	$ret .= qq|<p><a href="$urlfile" $target><img src="$urlfile" | .
--- 217,223 ----
      ## Create HTML markup
      if ($inline) {
! 	$ret  = '<p>'.
! 		mhonarc::htmlize($fields->{'content-description'}[0]).
! 		"</p>\n"
  	    if (defined $fields{'content-description'});
  	$ret .= qq|<p><a href="$urlfile" $target><img src="$urlfile" | .
***************
*** 221,227 ****
  
      } else {
! 	my $namelabel = $nameparm || $urlfile;
! 	my $desc = htmlize($fields->{'content-description'}[0]) ||
! 		   $type;
  	# check if using icon
  	my($icon_mu, $iconurl, $iw, $ih);
--- 225,241 ----
  
      } else {
! 	my $is_mesg = $ctype =~ /^message\//;
! 	my $desc = '<em>Description:</em> ';
! 	my $namelabel;
! 
! 	if ($is_mesg && ($$data =~ /^subject:\s(.+)$/mi)) {
! 	    $namelabel = mhonarc::htmlize($1);
! 	    $desc .= 'Message attachment';
! 	} else {
! 	    $desc .= mhonarc::htmlize($fields->{'content-description'}[0]) ||
! 		     $type;
! 	    $namelabel = mhonarc::htmlize($nameparm || $urlfile);
! 	}
! 
  	# check if using icon
  	my($icon_mu, $iconurl, $iw, $ih);
***************
*** 250,254 ****
  <p><strong><a href="$urlfile" $target>$icon_mu</a>
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</p>
  EOT
  	    } else {
--- 264,268 ----
  <p><strong><a href="$urlfile" $target>$icon_mu</a>
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</p>
  EOT
  	    } else {
***************
*** 256,260 ****
  <p><strong>Attachment:
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</p>
  EOT
  	    }
--- 270,274 ----
  <p><strong>Attachment:
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</p>
  EOT
  	    }
***************
*** 265,269 ****
  <tr valign="top"><td><strong><a href="$urlfile" $target>$icon_mu</a>
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</td></tr></table>
  EOT
  	    } else {
--- 279,283 ----
  <tr valign="top"><td><strong><a href="$urlfile" $target>$icon_mu</a>
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</td></tr></table>
  EOT
  	    } else {
***************
*** 272,276 ****
  <tr><td><strong>Attachment:
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</td></tr></table>
  EOT
  	    }
--- 286,290 ----
  <tr><td><strong>Attachment:
  <a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</td></tr></table>
  EOT
  	    }
***************
*** 278,293 ****
      }
      ($ret, $path || $filename);
- }
- 
- ##---------------------------------------------------------------------------
- 
- sub htmlize {
-     my $txt = shift;
-     return ""  unless defined($txt);
- 
-     $txt =~ s/&/\&amp;/g;
-     $txt =~ s/>/&gt;/g;
-     $txt =~ s/</&lt;/g;
-     $txt;
  }
  
--- 292,295 ----

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
[More with this subject...]
Previous by Date:  CVS: mhonarc/MHonArc/lib mhmimetypes.pl,1.9,1.10, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Date:  CVS: mhonarc/MHonArc/lib mhtxtplain.pl,2.22,2.23, Earl Hood <earl(_at_)earlhood(_dot_)com>
Previous by Thread:  CVS: mhonarc/MHonArc/lib mhmimetypes.pl,1.9,1.10, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Thread:  CVS: mhonarc/MHonArc/lib mhtxtplain.pl,2.22,2.23, Earl Hood <earl(_at_)earlhood(_dot_)com>
Indexes:  [Date] [Top] [All Lists]