Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv15913
Modified Files:
mhexternal.pl
Log Message:
* Make sure to htmlize name parameter to avoid any potential XSS.
* Will display subject of a message for a message attachment link.
* Removed private htmlize routine and replaced with calls to mhonarc's.
Index: mhexternal.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhexternal.pl,v
retrieving revision 2.10
retrieving revision 2.11
diff -C2 -r2.10 -r2.11
*** mhexternal.pl 6 Oct 2001 14:02:38 -0000 2.10
--- mhexternal.pl 25 Sep 2002 03:55:44 -0000 2.11
***************
*** 158,162 ****
## Check if content is excluded based on filename extension
if ($excexts && index($excexts, ",$dispext,") >= $[) {
! return (qq|<p><tt><<attachment: $nameparm>></tt></p>\n|);
}
--- 158,164 ----
## Check if content is excluded based on filename extension
if ($excexts && index($excexts, ",$dispext,") >= $[) {
! return (qq|<p><tt><<attachment: |.
! mhonarc::htmlize($nameparm).
! qq|>></tt></p>\n|);
}
***************
*** 215,219 ****
## Create HTML markup
if ($inline) {
! $ret = "<p>".htmlize($fields->{'content-description'}[0])."</p>\n"
if (defined $fields{'content-description'});
$ret .= qq|<p><a href="$urlfile" $target><img src="$urlfile" | .
--- 217,223 ----
## Create HTML markup
if ($inline) {
! $ret = '<p>'.
! mhonarc::htmlize($fields->{'content-description'}[0]).
! "</p>\n"
if (defined $fields{'content-description'});
$ret .= qq|<p><a href="$urlfile" $target><img src="$urlfile" | .
***************
*** 221,227 ****
} else {
! my $namelabel = $nameparm || $urlfile;
! my $desc = htmlize($fields->{'content-description'}[0]) ||
! $type;
# check if using icon
my($icon_mu, $iconurl, $iw, $ih);
--- 225,241 ----
} else {
! my $is_mesg = $ctype =~ /^message\//;
! my $desc = '<em>Description:</em> ';
! my $namelabel;
!
! if ($is_mesg && ($$data =~ /^subject:\s(.+)$/mi)) {
! $namelabel = mhonarc::htmlize($1);
! $desc .= 'Message attachment';
! } else {
! $desc .= mhonarc::htmlize($fields->{'content-description'}[0]) ||
! $type;
! $namelabel = mhonarc::htmlize($nameparm || $urlfile);
! }
!
# check if using icon
my($icon_mu, $iconurl, $iw, $ih);
***************
*** 250,254 ****
<p><strong><a href="$urlfile" $target>$icon_mu</a>
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</p>
EOT
} else {
--- 264,268 ----
<p><strong><a href="$urlfile" $target>$icon_mu</a>
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</p>
EOT
} else {
***************
*** 256,260 ****
<p><strong>Attachment:
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</p>
EOT
}
--- 270,274 ----
<p><strong>Attachment:
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</p>
EOT
}
***************
*** 265,269 ****
<tr valign="top"><td><strong><a href="$urlfile" $target>$icon_mu</a>
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</td></tr></table>
EOT
} else {
--- 279,283 ----
<tr valign="top"><td><strong><a href="$urlfile" $target>$icon_mu</a>
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</td></tr></table>
EOT
} else {
***************
*** 272,276 ****
<tr><td><strong>Attachment:
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! <em>Description:</em> $desc</td></tr></table>
EOT
}
--- 286,290 ----
<tr><td><strong>Attachment:
<a href="$urlfile" $target><tt>$namelabel</tt></a></strong><br>
! $desc</td></tr></table>
EOT
}
***************
*** 278,293 ****
}
($ret, $path || $filename);
- }
-
- ##---------------------------------------------------------------------------
-
- sub htmlize {
- my $txt = shift;
- return "" unless defined($txt);
-
- $txt =~ s/&/\&/g;
- $txt =~ s/>/>/g;
- $txt =~ s/</</g;
- $txt;
}
--- 292,295 ----
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV