cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

HTML escape substituted parameter values to avoid injection attacks.

Browse source
This commit is contained in:
Tom Hughes 2007-11-23 00:49:55 +00:00
parent 7b172efeb6
commit 2cbcabb3f6
7 changed files with 39 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

14
app/views/diary_entry/new.rhtml
View file

@ -23,13 +23,13 @@
<% end %> <% end %>
<% if @user.home_lat.nil? or @user.home_lon.nil? %> <% if @user.home_lat.nil? or @user.home_lon.nil? %>
<% lon = params['lon'] || '-0.1' %> <% lon = h(params['lon']) || '-0.1' %>
<% lat = params['lat'] || '51.5' %> <% lat = h(params['lat']) || '51.5' %>
<% zoom = params['zoom'] || '4' %> <% zoom = h(params['zoom']) || '4' %>
<% else %> <% else %>
<% lon = @user.home_lon %> <% lon = @user.home_lon %>
<% lat = @user.home_lat %> <% lat = @user.home_lat %>
<% zoom = '12' %> <% zoom = '12' %>
<% end %> <% end %>
<script type="text/javascript" src="/openlayers/OpenLayers.js"></script> <script type="text/javascript" src="/openlayers/OpenLayers.js"></script>
@ -68,4 +68,4 @@
window.onload = init; window.onload = init;
// --> // -->
</script> </script>

2
app/views/message/new.rhtml
View file

@ -3,7 +3,7 @@
<h2>Send a new message to <%= display_name %></h2> <h2>Send a new message to <%= display_name %></h2>
<% if params[:display_name] %> <% if params[:display_name] %>
<p>Writing a new message to <%= params[:display_name] %></p> <p>Writing a new message to <%= h(params[:display_name]) %></p>
<p>TODO: drop down box of your friends</p> <p>TODO: drop down box of your friends</p>
<%end%> <%end%>

4
app/views/site/_search.rhtml
View file

@ -24,7 +24,7 @@
<% if params[:query] %> <% if params[:query] %>
<%= remote_function(:loading => "startSearch()", <%= remote_function(:loading => "startSearch()",
:complete => "endSearch()", :complete => "endSearch()",
:url => { :controller => :geocoder, :action => :search, :query => params[:query] }) %> :url => { :controller => :geocoder, :action => :search, :query => h(params[:query]) }) %>
<% end %> <% end %>
// --> // -->
</script> </script>
@ -38,7 +38,7 @@
<% form_remote_tag(:loading => "startSearch()", <% form_remote_tag(:loading => "startSearch()",
:complete => "endSearch()", :complete => "endSearch()",
:url => { :controller => :geocoder, :action => :search }) do %> :url => { :controller => :geocoder, :action => :search }) do %>
<%= text_field_tag :query, params[:query] %> <%= text_field_tag :query, h(params[:query]) %>
<% end %> <% end %>
</span> </span>
<p id="search_active">Searching...</p> <p id="search_active">Searching...</p>

16
app/views/site/edit.rhtml
View file

@ -24,17 +24,17 @@
<% session[:token] = @user.tokens.create.token unless session[:token] %> <% session[:token] = @user.tokens.create.token unless session[:token] %>
<% if params['mlon'] and params['mlat'] %> <% if params['mlon'] and params['mlat'] %>
<% lon = params['mlon'] %> <% lon = h(params['mlon']) %>
<% lat = params['mlat'] %> <% lat = h(params['mlat']) %>
<% zoom = params['zoom'] || '12' %> <% zoom = h(params['zoom']) || '12' %>
<% elsif @user and params['lon'].nil? and params['lat'].nil? %> <% elsif @user and params['lon'].nil? and params['lat'].nil? %>
<% lon = @user.home_lon %> <% lon = @user.home_lon %>
<% lat = @user.home_lat %> <% lat = @user.home_lat %>
<% zoom = '12' %> <% zoom = '12' %>
<%else%> <%else%>
<% lon = params['lon'] || '-0.1' %> <% lon = h(params['lon']) || '-0.1' %>
<% lat = params['lat'] || '51.5' %> <% lat = h(params['lat']) || '51.5' %>
<% zoom = params['zoom'] || '12' %> <% zoom = h(params['zoom']) || '12' %>
<% end %> <% end %>
<div id="map">You need a Flash player to use Potlatch, the <div id="map">You need a Flash player to use Potlatch, the
@ -54,7 +54,9 @@
fo.addVariable('long',lon); fo.addVariable('long',lon);
fo.addVariable('scale',sc); fo.addVariable('scale',sc);
fo.addVariable('token','<%= session[:token] %>'); fo.addVariable('token','<%= session[:token] %>');
<% if params['gpx'] %> fo.addVariable('gpx','<%= params['gpx']+"/data" %>'); <% end %> <% if params['gpx'] %>
fo.addVariable('gpx','<%= h(params['gpx']) + "/data" %>');
<% end %>
fo.write("map"); fo.write("map");
} }

32
app/views/site/index.rhtml
View file

@ -28,28 +28,28 @@ by the OpenStreetMap project and it's contributors.
<% if params['mlon'] and params['mlat'] %> <% if params['mlon'] and params['mlat'] %>
<% marker = true %> <% marker = true %>
<% mlon = params['mlon'] %> <% mlon = h(params['mlon']) %>
<% mlat = params['mlat'] %> <% mlat = h(params['mlat']) %>
<% end %> <% end %>
<% if params['minlon'] and params['minlat'] and params['maxlon'] and params['maxlat'] %> <% if params['minlon'] and params['minlat'] and params['maxlon'] and params['maxlat'] %>
<% bbox = true %> <% bbox = true %>
<% minlon = params['minlon'] %> <% minlon = h(params['minlon']) %>
<% minlat = params['minlat'] %> <% minlat = h(params['minlat']) %>
<% maxlon = params['maxlon'] %> <% maxlon = h(params['maxlon']) %>
<% maxlat = params['maxlat'] %> <% maxlat = h(params['maxlat']) %>
<% end %> <% end %>
<% if params['lon'] and params['lat'] %> <% if params['lon'] and params['lat'] %>
<% lon = params['lon'] %> <% lon = h(params['lon']) %>
<% lat = params['lat'] %> <% lat = h(params['lat']) %>
<% zoom = params['zoom'] || '5' %> <% zoom = h(params['zoom']) || '5' %>
<% layers = params['layers'] %> <% layers = h(params['layers']) %>
<% elsif params['mlon'] and params['mlat'] %> <% elsif params['mlon'] and params['mlat'] %>
<% lon = params['mlon'] %> <% lon = h(params['mlon']) %>
<% lat = params['mlat'] %> <% lat = h(params['mlat']) %>
<% zoom = params['zoom'] || '12' %> <% zoom = h(params['zoom']) || '12' %>
<% layers = params['layers'] %> <% layers = h(params['layers']) %>
<% elsif cookies.key?("location") %> <% elsif cookies.key?("location") %>
<% lon,lat,zoom,layers = cookies["location"].value.first.split(",") %> <% lon,lat,zoom,layers = cookies["location"].value.first.split(",") %>
<% elsif @user and !@user.home_lon.nil? and !@user.home_lat.nil? %> <% elsif @user and !@user.home_lon.nil? and !@user.home_lat.nil? %>
@ -67,8 +67,8 @@ by the OpenStreetMap project and it's contributors.
<% else %> <% else %>
<% lon = '-0.1' %> <% lon = '-0.1' %>
<% lat = '51.5' %> <% lat = '51.5' %>
<% zoom = params['zoom'] || '5' %> <% zoom = h(params['zoom']) || '5' %>
<% layers = params['layers'] %> <% layers = h(params['layers']) %>
<% end %> <% end %>
<% end %> <% end %>

6
app/views/user/account.rhtml
View file

@ -34,9 +34,9 @@
</script> </script>
<% if @user.home_lat.nil? or @user.home_lon.nil? %> <% if @user.home_lat.nil? or @user.home_lon.nil? %>
<% lon = params['lon'] || '-0.1' %> <% lon = h(params['lon']) || '-0.1' %>
<% lat = params['lat'] || '51.5' %> <% lat = h(params['lat']) || '51.5' %>
<% zoom = params['zoom'] || '4' %> <% zoom = h(params['zoom']) || '4' %>
<% else %> <% else %>
<% marker = true %> <% marker = true %>
<% mlon = @user.home_lon %> <% mlon = @user.home_lon %>

2
app/views/user/login.rhtml
View file

@ -2,7 +2,7 @@
Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br /> Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br />
<% form_tag :action => 'login' do %> <% form_tag :action => 'login' do %>
<%= hidden_field_tag('referer', params[:referer]) %> <%= hidden_field_tag('referer', h(params[:referer])) %>
<table> <table>
<tr><td>Email Address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr> <tr><td>Email Address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr>
<tr><td>Password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr> <tr><td>Password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr>