Mercurial > hgrepos > hgweb.cgi > s4
diff s4-blog.sh @ 749:f9f88278f6a0
Use htmlescape more places
author | HIROSE Yuuji <yuuji@gentei.org> |
---|---|
date | Sat, 06 Jun 2020 20:55:30 +0900 |
parents | 42cc0aeaa498 |
children | d39c915daeda |
line wrap: on
line diff
--- a/s4-blog.sh Sat Jun 06 20:46:54 2020 +0900 +++ b/s4-blog.sh Sat Jun 06 20:55:30 2020 +0900 @@ -94,8 +94,9 @@ fi test -z "$emails" && return err notify: user=$user Admins=`getgroupadmins $blogowner` Mode=$mode Emails="[$emails]" + quotedowner=`echo $blogowner | nkf -jM | tr -d '\n"'` MAIL_FROM=$noreply_from \ - SMAIL_TO="`echo "$blogowner" | nkf -jM | tr -d '\n'` readers <$noreply>" \ + SMAIL_TO="\"$quotedowner\" readers <$noreply>" \ smail "$emails" "${action}通知 $urlbase"<<EOF [$blogtitle]板に${action}がありました。 ※※※このメイルには返信できません(返信は次のURLへ)※※※ @@ -413,7 +414,7 @@ cat<<EOF <tr id="$id"> <td class="$tdcls">${picon}__EDIT__<a href="#$aid">#$aid</a> -<a href="$hlink+$uid" title="${author%@*}">$uname</a> +<a href="$hlink+$uid" title="${author%@*}">`echo $uname|htmlescape`</a> <span title="$tm">${reki:-$tm}</span> <__NOTIFY__></td> EOF @@ -544,7 +545,7 @@ } lshandout() { - # $1=rowid of blog + # $1=rowid of blog (numericalized in s4.cgi) blog_writable $1 $user rc=$? # =0: writable, $BLOG_NOTMEM bit set => not member if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then @@ -553,10 +554,11 @@ time=`getvalbyid blog ctime $1|colrm 11` owner=`getvalbyid blog owner $1` title=`getvalbyid blog title $1` - ge=`gecos $owner` + ge=`gecos "$owner"` + htmlowner=`echo ${ge:-$owner}|htmlescape` fh=$tmpd/formhead - echo "$time [$title]@${ge:-$owner}" > $fh - lshandoutsub $owner "$@" \ + echo "$time [$title]@$htmlowner" > $fh + lshandoutsub "$owner" "$@" \ |_m4 -D_TITLE_="提出状況" \ -D_FORMHEAD_="syscmd(cat $fh)" \ -D_FORM_="syscmd(cat)" -D_DUMPHEAD_= -D_DUMPTABLE_= \ @@ -1155,7 +1157,7 @@ } listblog() ( # $1={user,group} - qow=`sqlquote $1` + qow=`sqlquote "$1"` cond="where a.id in (select id from blog_s where key='owner' and val=$qow) order by ctime desc" cgi_form searchart<<EOF <label>`cgi_text kwd`という語を含む記事をこの一覧から検索</label> @@ -1166,7 +1168,7 @@ ) blog_addentry() { - # $1=GRPname(if it is a group) + # $1=GRProwID(if it is a group) grprowid=`numericalize $1` rowid=`getpar rowid` ## err blog_addentry0: rowid=$rowid @@ -1175,9 +1177,14 @@ else owner=`getpar owner` fi + htmlowner=`echo $owner|htmlescape` err blog-add: \$1=$grprowid rowid=$rowid owner=$owner if isgroup "$owner"; then - groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner + if [ -z "$grprowid" ]; then + qgrp=`sqlquote "$owner"` # Inefficient... + grprowid=`query "SELECT rowid FROM grp WHERE gname=$qgrp;"` + fi + groupmode=1 listing=$owner guide="[`linkhome $grprowid`]" GF_OWNER=$owner else usermode=1 listing=$user guide="[個人]" fi @@ -1216,7 +1223,7 @@ fi fi echo "${guide}新規話題作成" > $tmpd/title.$$ - listblog $listing > $tmpd/listblog.$$ + listblog "$listing" > $tmpd/listblog.$$ genform $formdir/blog.def \ | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \ -D_FORMHEAD_="序文は簡単に詳しくはコメントに" \ @@ -1236,6 +1243,7 @@ fi title=`getvalbyid blog title $rowid` owner=`getvalbyid blog owner $rowid` + htmlowner=`echo $owner|htmlescape` qowner=`sqlquotestr "$owner"` if [ -z "$title" ]; then echo "日記番号指定が無効です。" | html p @@ -1257,7 +1265,7 @@ else grprowid=`query "select rowid from grp where gname=$qowner;"` subtitle="グループ - <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$owner</a> での話題 + <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$htmlowner</a> での話題 `query \"SELECT printf('(チーム:%s)', val)\ FROM blog_s WHERE id=(SELECT id FROM blog WHERE rowid=$rowid) @@ -1277,7 +1285,7 @@ blog_notify_reply $rowid $user "$text" $act if [ -n "$grprowid" ]; then qgrp=$(sqlquote "$owner") - dbsetbyid grp $owner wtime "`date '+%F %T'`" + dbsetbyid grp "$owner" wtime "`date '+%F %T'`" else dbsetbyid user "$user" wtime "`date '+%F %T'`" fi @@ -1292,7 +1300,7 @@ fi fi def=$formdir/article.def - echo "$title" > $tmpd/title.$$ + echo "$title" | htmlescape > $tmpd/title.$$ echo "$subtitle$frozen_flag" > $tmpd/subtitle.$$ ${BLOG_SHOW:-blog_showentry} blog $rowid \ | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \