Changeset 1161 for trunk/core/lib/Foswiki.pm

Timestamp:

12/04/08 07:48:32 (3 years ago)

Author:

KennethLavrsen

Message:

Item375: First part of addressing URLPARAM XSS issue
Additionally some docs will need some additional work.
Please test this carefully so we know which apps break from this.

File:

• trunk/core/lib/Foswiki.pm (modified) (2 diffs)

trunk/core/lib/Foswiki.pm

@@ -3867 +3867 @@
     my $param     = $params->{_DEFAULT} || '';
     my $newLine   = $params->{newline};
-    my $encode    = $params->{encode};
+    my $encode    = $params->{encode} || 'safe';
     my $multiple  = $params->{multiple};
     my $separator = $params->{separator};
@@ -3897 +3897 @@
     if ( defined $value ) {
         $value =~ s/\r?\n/$newLine/go if ( defined $newLine );
-        if ($encode) {
-            if ( $encode =~ /^entit(y|ies)$/i ) {
-                $value = entityEncode($value);
-            }
-            elsif ( $encode =~ /^quotes?$/i ) {
-                $value =~ s/\"/\\"/go
-                  ;    # escape quotes with backslash (Bugs:Item3383 fix)
-            }
-            else {
-                $value =~ s/\r*\n\r*/<br \/>/;    # Legacy
-                $value = urlEncode($value);
-            }
+        if ( $encode =~ /^entit(y|ies)$/i ) {
+            $value = entityEncode($value);
+        }
+        elsif ( $encode =~ /^quotes?$/i ) {
+            $value =~ s/\"/\\"/go
+              ;    # escape quotes with backslash (Bugs:Item3383 fix)
+        }
+        elsif ( $encode =~ /^(off|none)$/i ) {
+            # no encoding
+        }
+        elsif ( $encode =~ /^url$/i ) {
+            $value =~ s/\r*\n\r*/<br \/>/;    # Legacy
+            $value = urlEncode($value);
+        }
+        else { # safe or default
+            # entity encode ' " < > and %
+            $value =~ s/([<>%'"])/'&#'.ord($1).';'/ge;
         }
     }