Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1201

Timestamp:

12/07/08 17:13:55 (3 years ago)

Author:

KennethLavrsen

Message:

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap
Done with the System web topics now

Location:

trunk

Files:

: 4 edited

RevCommentPlugin/data/System/WebRssBaseWC.txt (modified) (2 diffs)
TipsContrib/data/System/TipsTopics.txt (modified) (1 diff)
core/data/System/SiteChanges.txt (modified) (1 diff)
core/data/System/WebCreateNewTopicTemplate.txt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/RevCommentPlugin/data/System/WebRssBaseWC.txt

-                      r1105
+                      r1201
   <items>
     <rdf:Seq>
 %SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" default="WebStatistics" }%" type="%URLPARAM{"type" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" default="16" }%" scope="%URLPARAM{"scope" default="text" }%" casesensitive="%URLPARAM{"casesensitive" default="on" }%" date="%URLPARAM{"date" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n <description>%REVCOMMENT[rev=''$rev'' web=''$web'' topic=''$topic'' pre=''ChangeLog: '' delimiter='' -- '' post='''']%</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}%
+%SEARCH{"%URLPARAM{"search" encode="quote" default=".*" }%" web="%URLPARAM{"web" encode="quote" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" encode="quote" default="WebStatistics" }%" type="%URLPARAM{"type" encode="quote" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" encode="quote" default="16" }%" scope="%URLPARAM{"scope" encode="quote" default="text" }%" casesensitive="%URLPARAM{"casesensitive" encode="quote" default="on" }%" date="%URLPARAM{"date" encode="quote" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n <description>%REVCOMMENT[rev=''$rev'' web=''$web'' topic=''$topic'' pre=''ChangeLog: '' delimiter='' -- '' post='''']%</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}%
     </rdf:Seq>
   </items>
 …
   <url>%WIKILOGOIMG%</url>
 </image>
 %SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" default="WebStatistics" }%" type="%URLPARAM{"type" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" default="16" }%" scope="%URLPARAM{"scope" default="text" }%" casesensitive="%URLPARAM{"casesensitive" default="on" }%" date="%URLPARAM{"date" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n  <description>$summary (last changed by <nop>$wikiname)</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}%
+%SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" encode="quote" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" encode="quote" default="WebStatistics" }%" type="%URLPARAM{"type" encode="quote" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" encode="quote" default="16" }%" scope="%URLPARAM{"scope" encode="quote" default="text" }%" casesensitive="%URLPARAM{"casesensitive" encode="quote" default="on" }%" date="%URLPARAM{"date" encode="quote" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n  <description>$summary (last changed by <nop>$wikiname)</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}%
 %STOPINCLUDE%
 </verbatim>

trunk/TipsContrib/data/System/TipsTopics.txt

r1074	r1201
7	7	Search (perl regular expression): <input name="searchfor" type="text" value="%URLPARAM{"searchfor" default="Enter search keywords here"}%" size="100" />
8	8	</form>
9		%SEARCH{ "%URLPARAM{"searchfor" ~~default="search results go here"}%" topic="TipTopic" type="keyword" web="%SYSTEMWEB%, %MAIN~~WEB%" format=" * [[$web.$topic][$pattern(.?\-\-\-\+([^\n\r]+).)]]:$n() $summary(noheader, 100)$n()$percntCALC{$SETM(total, +1)}$percnt"}%
	9	%SEARCH{ "%URLPARAM{"searchfor" encode="quote" default="search results go here"}%" topic="TipTopic" type="keyword" web="%SYSTEMWEB%, %USERSWEB%" format=" * [[$web.$topic][$pattern(.?\-\-\-\+([^\n\r]+).)]]:$n() $summary(noheader, 100)$n()$percntCALC{$SETM(total, +1)}$percnt"}%
10	10
11	11	Total: %CALC{$GET(total)}% tips

trunk/core/data/System/SiteChanges.txt

-                      r482
+                      r1201
 nosearch="on"
 nototal="on"
 limit="%URLPARAM{"limit" default="25"}%"
 web="%URLPARAM{"web" default="all"}%"
+limit="%URLPARAM{"limit" encode="quote" default="25"}%"
+web="%URLPARAM{"web" encode="quote" default="all"}%"
 excludetopic="WebStatistics"
 reverse="on"

trunk/core/data/System/WebCreateNewTopicTemplate.txt

-                      r1022
+                      r1201
 %TMPL:DEF{"topicname"}%<input type="text" class="twikiInputField" name="topic" id="topic" size="40" %IF{"'%PREFILLTOPIC%'='1'" then="value=\"%BASETOPIC%\""}% %IF{"'%URLPARAM{"newtopic"}%'" then="value=\"%URLPARAM{"newtopic"}%\""}% />%TMPL:END%
+%TMPL:DEF{"topicname"}%<input type="text" class="twikiInputField" name="topic" id="topic" size="40" %IF{"'%PREFILLTOPIC%'='1'" then="value=\"%BASETOPIC%\""}% %IF{"'%URLPARAM{"newtopic" encode="quote"}%'" then="value=\"%URLPARAM{"newtopic"}%\""}% />%TMPL:END%
 %TMPL:DEF{"topicparent"}%%IF{"defined pickparent" then="<select name='topicparent' size='10' class='twikiSelect'>$percntTOPICLIST{$quot<option $marker value='$name'>$name</option>$quot marker=$quotselected$quot separator=$quot$quot selection=$quot$percntURLPARAM{ $quottopicparent$quot default=$quot%MAKETEXT{"(no parent, orphaned topic)"}%$quot }$percnt$quot}$percnt<option value=$quot$quot>$percntMAKETEXT{$quot(no parent, orphaned topic)$quot}$percnt</option></select>" else="<input type='text' size='40' name='topicparent' class='twikiInputField' value='%URLPARAM{topicparent}%' />&nbsp;<a id='pickparent' href='$percntSCRIPTURLPATH{view}$percnt/$percntBASEWEB$percnt/$percntBASETOPIC$percnt?$percntQUERYSTRING$percnt;pickparent=1'>%MAKETEXT{"Pick from a list"}%</a>"}%%TMPL:END%
 %TMPL:DEF{"topictemplate"}%<select name="templatetopic" class="twikiSelect">%IF{"'%URLPARAM{"templatetopic"}%'" then='<option selected="selected">%URLPARAM{"templatetopic"}%</option>'}%<option value="">%MAKETEXT{"Default template"}%</option>%SEARCH{"name~'*Template'" scope="topic" excludetopic="WebTopicEditTemplate,WebCreateNewTopicTemplate,*ViewTemplate" type="query" nonoise="on" format="<option>$topic</option>"}%</select> <a id="viewtemplates" href="%SCRIPTURL{view}%/%SYSTEMWEB%/WebTemplateTopics?web=%BASEWEB%">%MAKETEXT{"View templates"}%</a> %TMPL:END%
+%TMPL:DEF{"topictemplate"}%<select name="templatetopic" class="twikiSelect">%IF{"'%URLPARAM{"templatetopic" encode="quote"}%'" then='<option selected="selected">%URLPARAM{"templatetopic"}%</option>'}%<option value="">%MAKETEXT{"Default template"}%</option>%SEARCH{"name~'*Template'" scope="topic" excludetopic="WebTopicEditTemplate,WebCreateNewTopicTemplate,*ViewTemplate" type="query" nonoise="on" format="<option>$topic</option>"}%</select> <a id="viewtemplates" href="%SCRIPTURL{view}%/%SYSTEMWEB%/WebTemplateTopics?web=%BASEWEB%">%MAKETEXT{"View templates"}%</a> %TMPL:END%
 %TMPL:DEF{"submit"}%<input id="submit" type="submit" class="twikiSubmit" value='%MAKETEXT{"Create this topic"}%' />%TMPL:END%

Note: See TracChangeset for help on using the changeset viewer.