Changeset 4028


Ignore:
Timestamp:
06/04/09 00:11:51 (3 years ago)
Author:
KennethLavrsen
Message:

Item1640: CommentPlugin writes "%" as html-code, which prevents the use of Macros
It was me that created the problem with my default safe mode in URLPARAM
I have analysed the problem and as long as we use URLPARAM in the OUTPUT part of
the CommentPlugin templates and keep the settings inside verbatim tags we do not
expose any XSS attack. So we can give the users back the ability to use Foswiki
Macros in comment input fields.
With this I also merge over some code changes Crawford had done in trunk.
Note that except for the release version all changes in the .pm files are unrelated
to the bug fix, which is why I dare checking in perltidy stuff with a bug fix.
CommentPlugin is now again same in trunk and Release branch

Forgot to copy over two files before the checkin

Location:
branches/Release01x00/CommentPlugin/data/System
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/Release01x00/CommentPlugin/data/System/CommentPlugin.txt

    r3417 r4028  
    251251|  Plugin Version: | %$VERSION% | 
    252252|  Change History: | | 
     253|  04 Jun 2009 | Foswikitask:Item1668 - The action template used with !ActionTrackerPlugin now uses new syntax ending with %ENDACTION. This makes each action item appear on a new line. Additionally new lines are now correctly saved as html br tags and not as html encoded br tag <br /> Foswikitask:Item1640 - Templates shipped with the plugin no longer encodes the user date entered when the date is saved so that it is possible for the user to use macros. | 
    253254|  15 Jan 2008 | Foswikitask:Item727 - data loss issue when missing anchor or location | 
    254 |  13 Jan 2009 | Foswikitask:736 Make !CommentPlugin aware of CompareRevisionsAddOn bin script. | 
     255|  13 Jan 2009 | Foswikitask:Item736 - Make !CommentPlugin aware of CompareRevisionsAddOn bin script. | 
    255256|  16 Dec 2008 | Foswiki version | 
    256257|  03 Aug 2008 | The TWiki 4.2.1 release version |  

  • branches/Release01x00/CommentPlugin/data/System/CommentPluginTemplate.txt

    r3987 r4028  
    1717 
    1818---++ Template definitions 
     19 
     20%X% Note that the use of URLPARAM in the templates should be done in a way that prevents Cross Site Scripting attacks. The safest is to let URLPARAM encode the unsafe characters (default) but this prevents the user from entering Foswiki macros in the comment input fields. It is however safe to use encode="off" when the following rules are observed. 
     21   * The encode="off" option for URLPARAM is only used in this topic within verbatim tags to prevent this topic from being an XSS attack vector. 
     22   * The encode="off" option is only used in OUTPUT defs and never in the PROMPT. 
     23    
    1924---+++ Templates used in rest of file 
    2025Generic prompt box used by other templates 
     
    2429Short comment, signed and dated 
    2530<verbatim> 
    26 %TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
     31%TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment" encode="off"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
    2732</verbatim> 
    2833 
     
    8792</verbatim> 
    8893<verbatim> 
    89 %TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item"}%%POS:BEFORE% 
     94%TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item" encode="off"}%%POS:BEFORE% 
    9095%TMPL:END% 
    9196</verbatim> 
     
    104109%TMPL:DEF{OUTPUT:threadmode}%%POS:BEFORE% 
    105110 
    106 %URLPARAM{"comment"}% 
     111%URLPARAM{"comment" encode="off"}% 
    107112 
    108113-- %WIKIUSERNAME% - %DATE% 
     
    125130---++++ %WIKIUSERNAME% - %SERVERTIME% 
    126131 
    127 %URLPARAM{"comment"}% 
     132%URLPARAM{"comment" encode="off"}% 
    128133 
    129134%TMPL:END% 
     
    157162</verbatim> 
    158163<verbatim> 
    159 %TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     164%TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    160165%TMPL:END% 
    161166</verbatim> 
     
    172177</verbatim> 
    173178<verbatim> 
    174 %TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     179%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    175180%TMPL:END% 
    176181</verbatim> 
     
    209214</verbatim> 
    210215<verbatim> 
    211 %TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who"}%" due="%URLPARAM{"action_due"}%"}% %URLPARAM{"action_comment"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
     216%TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who" encode="off"}%" due="%URLPARAM{"action_due" encode="off"}%"}% %URLPARAM{"action_comment" encode="off"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
    212217%TMPL:END% 
    213218</verbatim> 
     
    229234</verbatim> 
    230235<verbatim> 
    231 %TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" }% | 
     236%TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date" encode="off"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" encode="off"}% | 
    232237%TMPL:END% 
    233238</verbatim> 
     
    250255<verbatim> 
    251256%TMPL:DEF{OUTPUT:toctalk}% 
    252 %POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary"}% 
    253 %POS:BEFORE%%URLPARAM{"toctalk_comment_text" }% 
     257%POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary" encode="off"}% 
     258%POS:BEFORE%%URLPARAM{"toctalk_comment_text" encode="off"}% 
    254259%POS:BEFORE% 
    255260%TMPL:END% 
Note: See TracChangeset for help on using the changeset viewer.