liquid_feedback_frontend
changeset 39:06a6e5846536
Bugfixes in app/main/draft/diff.lua including missing encoding of diff output (security threat!)
| author | bsw |
|---|---|
| date | Sun Mar 07 15:13:05 2010 +0100 (2010-03-07) |
| parents | 2c7cc99c4e8e |
| children | ca3a0552927f |
| files | app/main/draft/diff.lua config/default.lua |
line diff
1.1 --- a/app/main/draft/diff.lua Fri Mar 05 15:45:55 2010 +0100 1.2 +++ b/app/main/draft/diff.lua Sun Mar 07 15:13:05 2010 +0100 1.3 @@ -47,11 +47,12 @@ 1.4 else 1.5 slot.put('<table class="diff">') 1.6 slot.put('<tr><th width="50%">' .. _"Old draft revision" .. '</th><th width="50%">' .. _"New draft revision" .. '</th></tr>') 1.7 + 1.8 local last_state = "unchanged" 1.9 local lines = {} 1.10 local removed_lines = nil 1.11 - output = output .. " " 1.12 - output = output:gsub("[^\n\r]+", function(line) 1.13 + 1.14 + local function process_line(line) 1.15 local state = "unchanged" 1.16 local char = line:sub(1,1) 1.17 line = line:sub(2) 1.18 @@ -60,13 +61,15 @@ 1.19 state = "-" 1.20 elseif char == "+" then 1.21 state = "+" 1.22 + elseif char == "!" then 1.23 + state = "eof" 1.24 end 1.25 if last_state == "unchanged" then 1.26 if state == "unchanged" then 1.27 lines[#lines+1] = line 1.28 - elseif (state == "-") or (state == "+") then 1.29 - local text = table.concat(lines, "<br />") 1.30 - slot.put("<tr><td>", text, "</td><td>", text, "</td></tr>") 1.31 + elseif (state == "-") or (state == "+") or (state == "eof") then 1.32 + local text = table.concat(lines, "\n") 1.33 + slot.put("<tr><td>", text, "</td><td>", encode.html_newlines(encode.html(text)), "</td></tr>") 1.34 lines = { line } 1.35 end 1.36 elseif last_state == "-" then 1.37 @@ -75,29 +78,36 @@ 1.38 elseif state == "+" then 1.39 removed_lines = lines 1.40 lines = { line } 1.41 - elseif state == "unchanged" then 1.42 - local text = table.concat(lines,"<br />") 1.43 - slot.put('<tr><td class="removed">', text, "</td><td></td></tr>") 1.44 + elseif (state == "unchanged") or (state == "eof") then 1.45 + local text = table.concat(lines,"\n") 1.46 + slot.put('<tr><td class="removed">', encode.html_newlines(encode.html(text)), "</td><td></td></tr>") 1.47 lines = { line } 1.48 end 1.49 elseif last_state == "+" then 1.50 if state == "+" then 1.51 lines[#lines+1] = line 1.52 - elseif (state == "-") or (state == "unchanged") then 1.53 + elseif (state == "-") or (state == "unchanged") or (state == "eof") then 1.54 if removed_lines then 1.55 - local text = table.concat(lines, "<br />") 1.56 - local removed_text = table.concat(removed_lines, "<br />") 1.57 - slot.put('<tr><td class="removed">', removed_text, '</td><td class="added">', text, "</td></tr>") 1.58 + local text = table.concat(lines, "\n") 1.59 + local removed_text = table.concat(removed_lines, "\n") 1.60 + slot.put('<tr><td class="removed">', encode.html_newlines(encode.html(removed_text)), '</td><td class="added">', encode.html_newlines(encode.html(text)), "</td></tr>") 1.61 else 1.62 - local text = table.concat(lines, "<br />") 1.63 - slot.put('<tr><td></td><td class="added">', text, "</td></tr>") 1.64 + local text = table.concat(lines, "\n") 1.65 + slot.put('<tr><td></td><td class="added">', encode.html_newlines(encode.html(text)), "</td></tr>") 1.66 end 1.67 removed_lines = nil 1.68 lines = { line } 1.69 end 1.70 end 1.71 last_state = state 1.72 + end 1.73 + 1.74 + output = output .. " " 1.75 + output = output:gsub("[^\n\r]+", function(line) 1.76 + process_line(line) 1.77 end) 1.78 + process_line("!") 1.79 + 1.80 slot.put("</table>") 1.81 end 1.82
2.1 --- a/config/default.lua Fri Mar 05 15:45:55 2010 +0100 2.2 +++ b/config/default.lua Sun Mar 07 15:13:05 2010 +0100 2.3 @@ -1,5 +1,5 @@ 2.4 config.app_name = "LiquidFeedback" 2.5 -config.app_version = "beta12.2" 2.6 +config.app_version = "beta12.3" 2.7 2.8 config.app_title = config.app_name .. " (" .. request.get_config_name() .. " environment)" 2.9