Ignore:
Timestamp:
06/04/09 00:11:51 (3 years ago)
Author:
KennethLavrsen
Message:

Item1640: CommentPlugin writes "%" as html-code, which prevents the use of Macros
It was me that created the problem with my default safe mode in URLPARAM
I have analysed the problem and as long as we use URLPARAM in the OUTPUT part of
the CommentPlugin templates and keep the settings inside verbatim tags we do not
expose any XSS attack. So we can give the users back the ability to use Foswiki
Macros in comment input fields.
With this I also merge over some code changes Crawford had done in trunk.
Note that except for the release version all changes in the .pm files are unrelated
to the bug fix, which is why I dare checking in perltidy stuff with a bug fix.
CommentPlugin is now again same in trunk and Release branch

Forgot to copy over two files before the checkin

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/Release01x00/CommentPlugin/data/System/CommentPluginTemplate.txt

    r3987 r4028  
    1717 
    1818---++ Template definitions 
     19 
     20%X% Note that the use of URLPARAM in the templates should be done in a way that prevents Cross Site Scripting attacks. The safest is to let URLPARAM encode the unsafe characters (default) but this prevents the user from entering Foswiki macros in the comment input fields. It is however safe to use encode="off" when the following rules are observed. 
     21   * The encode="off" option for URLPARAM is only used in this topic within verbatim tags to prevent this topic from being an XSS attack vector. 
     22   * The encode="off" option is only used in OUTPUT defs and never in the PROMPT. 
     23    
    1924---+++ Templates used in rest of file 
    2025Generic prompt box used by other templates 
     
    2429Short comment, signed and dated 
    2530<verbatim> 
    26 %TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
     31%TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment" encode="off"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
    2732</verbatim> 
    2833 
     
    8792</verbatim> 
    8893<verbatim> 
    89 %TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item"}%%POS:BEFORE% 
     94%TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item" encode="off"}%%POS:BEFORE% 
    9095%TMPL:END% 
    9196</verbatim> 
     
    104109%TMPL:DEF{OUTPUT:threadmode}%%POS:BEFORE% 
    105110 
    106 %URLPARAM{"comment"}% 
     111%URLPARAM{"comment" encode="off"}% 
    107112 
    108113-- %WIKIUSERNAME% - %DATE% 
     
    125130---++++ %WIKIUSERNAME% - %SERVERTIME% 
    126131 
    127 %URLPARAM{"comment"}% 
     132%URLPARAM{"comment" encode="off"}% 
    128133 
    129134%TMPL:END% 
     
    157162</verbatim> 
    158163<verbatim> 
    159 %TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     164%TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    160165%TMPL:END% 
    161166</verbatim> 
     
    172177</verbatim> 
    173178<verbatim> 
    174 %TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     179%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    175180%TMPL:END% 
    176181</verbatim> 
     
    209214</verbatim> 
    210215<verbatim> 
    211 %TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who"}%" due="%URLPARAM{"action_due"}%"}% %URLPARAM{"action_comment"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
     216%TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who" encode="off"}%" due="%URLPARAM{"action_due" encode="off"}%"}% %URLPARAM{"action_comment" encode="off"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
    212217%TMPL:END% 
    213218</verbatim> 
     
    229234</verbatim> 
    230235<verbatim> 
    231 %TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" }% | 
     236%TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date" encode="off"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" encode="off"}% | 
    232237%TMPL:END% 
    233238</verbatim> 
     
    250255<verbatim> 
    251256%TMPL:DEF{OUTPUT:toctalk}% 
    252 %POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary"}% 
    253 %POS:BEFORE%%URLPARAM{"toctalk_comment_text" }% 
     257%POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary" encode="off"}% 
     258%POS:BEFORE%%URLPARAM{"toctalk_comment_text" encode="off"}% 
    254259%POS:BEFORE% 
    255260%TMPL:END% 
Note: See TracChangeset for help on using the changeset viewer.