Mercurial > hgrepos > hgweb.cgi > s4

changeset 760:f40036e2598b feature-annex

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merged
author HIROSE Yuuji <yuuji@gentei.org>
date Sun, 07 Jun 2020 06:21:02 +0900
parents 262983fbc2ac (current diff) f9f88278f6a0 (diff)
children bcd97ab3d4f1
files s4-funcs.sh
diffstat 4 files changed, 58 insertions(+), 41 deletions(-) [+]
line wrap: on
line diff
--- a/examples/sns/form/article.def	Sat Jun 06 16:33:23 2020 +0900
+++ b/examples/sns/form/article.def	Sun Jun 07 06:21:02 2020 +0900
@@ -1,5 +1,5 @@
 シリアル:id:p:serial:
-blogID:blogid:f:blog(id):
+blogID:blogid:pf:blog(id):
 筆者:author:s:author:
 時刻:ctime:s:stamp:
 参照元:parent:s:parent: 
--- a/mpsplit.pl	Sat Jun 06 16:33:23 2020 +0900
+++ b/mpsplit.pl	Sun Jun 07 06:21:02 2020 +0900
@@ -30,7 +30,7 @@
     if ($fn =~ /^([^\/]*)$/) {
       $fn = $1;
     }
-    $fn =~ s/ /_/g;
+    $fn =~ s/[ 	<>&\#'\"\&|*?]/_/g;
     $fn =~ s,.*[/\\],,;
     open(OUT, ">$dir/$fn");
       print OUT $body;
--- a/s4-blog.sh	Sat Jun 06 16:33:23 2020 +0900
+++ b/s4-blog.sh	Sun Jun 07 06:21:02 2020 +0900
@@ -94,8 +94,9 @@
   fi
   test -z "$emails" && return
   err notify: user=$user Admins=`getgroupadmins $blogowner` Mode=$mode Emails="[$emails]"
+  quotedowner=`echo $blogowner | nkf -jM | tr -d '\n"'`
   MAIL_FROM=$noreply_from \
-  SMAIL_TO="`echo "$blogowner" | nkf -jM | tr -d '\n'` readers <$noreply>" \
+  SMAIL_TO="\"$quotedowner\" readers <$noreply>" \
 	  smail "$emails" "${action}通知 $urlbase"<<EOF
 [$blogtitle]板に${action}がありました。
 ※※※このメイルには返信できません(返信は次のURLへ)※※※
@@ -413,7 +414,7 @@
 	cat<<EOF
 <tr id="$id">
 <td class="$tdcls">${picon}__EDIT__<a href="#$aid">#$aid</a>
-<a href="$hlink+$uid" title="${author%@*}">$uname</a>
+<a href="$hlink+$uid" title="${author%@*}">`echo $uname|htmlescape`</a>
 <span title="$tm">${reki:-$tm}</span>
 <__NOTIFY__></td>
 EOF
@@ -544,7 +545,7 @@
 }
 
 lshandout() {
-  # $1=rowid of blog
+  # $1=rowid of blog (numericalized in s4.cgi)
   blog_writable $1 $user
   rc=$?		# =0: writable, $BLOG_NOTMEM bit set => not member
   if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then
@@ -553,10 +554,11 @@
   time=`getvalbyid blog ctime $1|colrm 11`
   owner=`getvalbyid blog owner $1`
   title=`getvalbyid blog title $1`
-  ge=`gecos $owner`
+  ge=`gecos "$owner"`
+  htmlowner=`echo ${ge:-$owner}|htmlescape`
   fh=$tmpd/formhead
-  echo "$time [$title]@${ge:-$owner}" > $fh
-  lshandoutsub $owner "$@" \
+  echo "$time [$title]@$htmlowner" > $fh
+  lshandoutsub "$owner" "$@" \
       |_m4 -D_TITLE_="提出状況" \
 	   -D_FORMHEAD_="syscmd(cat $fh)" \
 	   -D_FORM_="syscmd(cat)" -D_DUMPHEAD_= -D_DUMPTABLE_= \
@@ -1058,15 +1060,16 @@
   kwd=`echo "$kwd"|htmlescape`
   owner=`getpar owner`
   owner=${owner:-$1}
+  grid=`getpar grid`
   msg=""
-  if [ -n "$owner" ]; then
+  if [ -n "$grid" ]; then
+    grp=`getgroupbyid "$grid"`
+    qgrp=`sqlquote "$grp"`
+    cond="WHERE key='owner' AND val=$qgrp"
+    msg="(`linkhome $grid` グループから)"
+  elif [ -n "$owner" ]; then
     cond="where key='owner' and val='$owner'"
-    if isuser $owner; then
-      msg="(`linkhome $owner` さんの記録から)"
-    else
-      linkhome $owner 1>&3
-      msg="(`linkhome $owner` グループから)"
-    fi
+    msg="(`linkhome $owner` さんの記録から)"
   elif { author=`getpar author`; test -n "$author"; }; then
     atptn=`sqlquotestr $author`
     #kc="$kc${kc:+ AND }author=$atptn"
@@ -1154,7 +1157,7 @@
 }
 listblog() (
   # $1={user,group}
-  qow=`sqlquote $1`
+  qow=`sqlquote "$1"`
   cond="where a.id in (select id from blog_s where key='owner' and val=$qow) order by ctime desc"
   cgi_form searchart<<EOF
 <label>`cgi_text kwd`という語を含む記事をこの一覧から検索</label>
@@ -1165,7 +1168,7 @@
 )
 
 blog_addentry() {
-  # $1=GRPname(if it is a group)
+  # $1=GRProwID(if it is a group)
   grprowid=`numericalize $1`
   rowid=`getpar rowid`
   ## err blog_addentry0: rowid=$rowid
@@ -1174,9 +1177,14 @@
   else
     owner=`getpar owner`
   fi
+  htmlowner=`echo $owner|htmlescape`
   err blog-add: \$1=$grprowid rowid=$rowid owner=$owner
   if isgroup "$owner"; then
-    groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner
+    if [ -z "$grprowid" ]; then
+      qgrp=`sqlquote "$owner"`	# Inefficient...
+      grprowid=`query "SELECT rowid FROM grp WHERE gname=$qgrp;"`
+    fi
+    groupmode=1 listing=$owner guide="[`linkhome $grprowid`]" GF_OWNER=$owner
   else
     usermode=1 listing=$user guide="[個人]"
   fi
@@ -1215,7 +1223,7 @@
     fi
   fi
   echo "${guide}新規話題作成"	> $tmpd/title.$$
-  listblog $listing		> $tmpd/listblog.$$
+  listblog "$listing"		> $tmpd/listblog.$$
   genform $formdir/blog.def \
       | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \
 	    -D_FORMHEAD_="序文は簡単に詳しくはコメントに" \
@@ -1235,6 +1243,7 @@
   fi
   title=`getvalbyid blog title $rowid`
   owner=`getvalbyid blog owner $rowid`
+  htmlowner=`echo $owner|htmlescape`
   qowner=`sqlquotestr "$owner"`
   if [ -z "$title" ]; then
     echo "日記番号指定が無効です。" | html p
@@ -1256,7 +1265,7 @@
   else
     grprowid=`query "select rowid from grp where gname=$qowner;"`
     subtitle="グループ
-     <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$owner</a> での話題
+     <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$htmlowner</a> での話題
     	`query \"SELECT printf('(チーム:%s)', val)\
 		 FROM blog_s
 		 WHERE id=(SELECT id FROM blog WHERE rowid=$rowid)
@@ -1276,7 +1285,7 @@
 	  blog_notify_reply $rowid $user "$text" $act
 	if [ -n "$grprowid" ]; then
 	  qgrp=$(sqlquote "$owner")
-	  dbsetbyid grp $owner wtime "`date '+%F %T'`"
+	  dbsetbyid grp "$owner" wtime "`date '+%F %T'`"
 	else
 	  dbsetbyid user "$user" wtime "`date '+%F %T'`"
 	fi
@@ -1291,7 +1300,7 @@
     fi
   fi
   def=$formdir/article.def
-  echo "$title" > $tmpd/title.$$
+  echo "$title" | htmlescape > $tmpd/title.$$
   echo "$subtitle$frozen_flag" > $tmpd/subtitle.$$
   ${BLOG_SHOW:-blog_showentry} blog $rowid \
       | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \
--- a/s4-funcs.sh	Sat Jun 06 16:33:23 2020 +0900
+++ b/s4-funcs.sh	Sun Jun 07 06:21:02 2020 +0900
@@ -575,15 +575,18 @@
   [ -n "`query $sql`" ] || return 2
 }
 linkhome() {
-  # $1=UserOrGroup
-  echo -n '<a href="?'
+  # $1=UserOrGroupRowid
+  echo -n "<a href=\"$myname?"
   if isuser $1; then
     err "select 'home+'||rowid from user where name='$1';"
     query "select 'home+'||rowid from user where name='$1';"
+    name=`gecos $1|htmlescape`
   else
+    _grid=`numericalize "$1"`
     echo -n "grp+$1"
+    name=`query "SELECT gname FROM grp WHERE rowid=$_grid;"|htmlescape`
   fi
-  echo  "\">`gecos $1`</a>"
+  echo  "\">$name</a>"
 }
 hreflink() {
   # s4 specific notation:
@@ -1058,7 +1061,8 @@
 }
 htmlescape() {
   sed -e 's/\&/\&amp;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" \
-      -e "s/</\&lt;/g; s/>/\&gt;/g" -e 's/`/\&#096;/g' -e 's/(/\&#040;/g'
+      -e "s/</\&lt;/g; s/>/\&gt;/g" -e 's/`/\&#096;/g' -e 's/(/\&#040;/g' \
+      -e 's/`/\&#96/'
 }
 enascii() {
   if [ -z "$enascii" ]; then
@@ -1266,8 +1270,11 @@
   rcptheader=`echo $1|tr ' ' '\n'|sort -u|sed '2,$s/^/To: /g'`
   subj=`echo $2|nkf -jM|tr -d '\n'`
   sender=${SENDER:-$admin}
+  # Do not call m4 with directly passing text
+  _r=$tmpd/rcpt
+  echo -n "${SMAIL_TO:-$rcptheader}" > $_r
   replyto=${REPLYTO:+"Reply-to: $REPLYTO$LF"}
-  (_m4 -D_RCPT_="${SMAIL_TO:-$rcptheader}" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4
+  (_m4 -D_RCPT_="spaste(\`$_r')" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4
    cat $3 | nkf -jd ) | sendmail -f $sender $rcpt
 }
 smail_queue_flush() {
@@ -1297,7 +1304,6 @@
 	       ORDER by time;
 	EOF
       then
-	echo rowid=$rid
 	cat <<-EOF | sq $workdb 
 	DELETE FROM smailq
 	       WHERE rcpts=(SELECT rcpts FROM smailq WHERE rowid=$rid)
@@ -1955,7 +1961,7 @@
 }
 
 search_form() {
-  # $1		 = { author=<AUTHOR> | grp=<GROUP> }
+  # $1		 = { author=<AUTHOR> | grid=<GroupRowid> }
   # $2(optional) = pre-input keywords
   help="(1)空白区切りの単語で本文検索
 (2)@YYYY-MM-DD 日付け(シェルパターン可)で日付け検索
@@ -1977,9 +1983,9 @@
       placeholder="このユーザの書込検索"
       help="★★ $g さんの書き込みから検索します$nl$help"
       ;;
-    grp=*)
-      a=`echo "${1#grp=}"`	# group name cannot have quoting marks
-      auth="<input type=\"hidden\" name=\"owner\" value=\"$a\">"
+    grid=*)
+      a=`echo "${1#grid=}"`; a=$((0 + $a))
+      auth="<input type=\"hidden\" name=\"grid\" value=\"$a\">"
       placeholder="このグループからの検索"
       ;;
   esac
@@ -2305,7 +2311,8 @@
   # $1=icon-file, $2=Href $3=title $4...=anchor
   src=$1
   href=$2; title=$3; shift 3
-  echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$@</a>"
+  anchor=`echo $@|htmlescape`
+  echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$anchor</a>"
 )
 listentry() (
   # $1=user/group $2=SearchKeyword $3=condition(if any) $4=grprowid(if in grp)
@@ -2498,6 +2505,7 @@
     # err newlnk=$lnk regmode=$regmode
     icondir=$dir/$id
     # Pick up only last icon
+    htmlname=`echo $name|htmlescape`
     echo "<div class=\"iconlist xy$thumbxy $type $ownerp\">
 	<p class=\"tag _$tag\">$tag</p>" \
 	| _m4 $tagconv
@@ -2525,7 +2533,7 @@
 	iconhref2 "$dir/$deficon" "$hrb+$lnk" "$gecos"
       fi
     fi
-    echo "<br>$name${ownerp:+<br>($ownerp)}"
+    echo "<br>$htmlname${ownerp:+<br>($ownerp)}"
     echo "</div>"
   done
   echo "</div>"					# End of List-entry div
@@ -2566,7 +2574,7 @@
       ismember="" # bodyclass="group"
     fi
     bodyclass="$bodyclass grouphome"
-    echo "<div class=\"search\">`search_form grp=\"$grp\"`</div>"> $sf
+    echo "<div class=\"search\">`search_form grid=\"$grid\"`</div>"> $sf
     echo "グループ $htmlgrp" > $tf
 
     showgroupsub $formdir/grp.def "$grid" | \
@@ -2731,6 +2739,7 @@
   err GRP_ACTION:IN
   grid=${1:-`getpar grp`}
   grp=`getgroupbyid "$grid"`
+  htmlgrp=`echo "$grp" | htmlescape`
   myuid=`query "SELECT rowid FROM user WHERE name='$user';"`
   if [ -z "$grp" ]; then
     echo "無効な指定です。" | html p; return
@@ -2738,7 +2747,7 @@
   if ! ismember $user "$grp"; then
     echo "加入者のみに許可された操作です。" | html p; return
   fi
-  echo "グループ $grp 個別選択操作" \
+  echo "グループ $grp 個別選択操作"  \
       | _m4 -D_TITLE_="syscmd(\`cat')" \
 	    -D_BODYCLASS_="`grp_getbodyclass \"$grp\"`" \
 	    $layout/html.m4.html
@@ -2946,7 +2955,7 @@
 	ORDER BY gecos;"
   ## err grpaction: "`echo \"$sql\"`"
   tf=$tmpd/title.$$
-  echo "グループ[<a href=\"?grp+$grid\">$grp</a>]参加メンバーに対する操作" > $tf
+  echo "グループ[<a href=\"?grp+$grid\">$htmlgrp</a>]参加メンバーに対する操作" > $tf
   cmmsg="`cgi_radio rm commission id=\"cmadmin\"`<label accesskey=\"f\"
  title=\"Shortcut: f${nl}Add to Administrator of the Group\"
  for=\"cmadmin\">管理者委任</label>
@@ -3029,7 +3038,7 @@
 ${isowner:+$cmmsg$excmsg}
 `cgi_radio rm close id="x"`<label for="x" accesskey="x">×</label>
 </div>
-<h4>$grp 参加者一覧</h4>$fromtonote
+<h4>$htmlgrp 参加者一覧</h4>$fromtonote
 <table class="td2r thl">
 `sq $db -header -html "$sql"`
 </table>
@@ -3263,11 +3272,11 @@
     return
   fi
   grp=`getgroupbyid $rowid`
-  members=`collectemail $grp`
+  members=`collectemail "$grp"`
   myuid=`query "SELECT rowid FROM user WHERE name='$user';"`
   mailfrom=`email4groupbyuid "$grp" "$myuid" | sed -e 1q -e 's/[ ,].*//'`
   mailfrom="`gecos "$user"` <$mailfrom>"
-  sj="グループ $grp 宛メッセージ(from `gecos $user`)"
+  sj="グループ「$grp」宛メッセージ(from `gecos $user`)"
   msg=$(cat<<-EOF
 	$urlbase?grp+$rowid
 	グループ $grp に所属する
@@ -3282,7 +3291,6 @@
       MAIL_FROM=$mailfrom \
 	       SENDER=$noreply \
 	       REPLYTO=$mailfrom \
-	       SMAIL_TO="`echo "$grp" | nkf -jM | tr -d '\n'` readers <$m>" \
 	       smail "$m" "$sj"
   done
   cat<<EOF

yatex.org