Overview
Comment: | Added safe handling for params |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
4bccacb50f3fae81f4299cccc4a481d1 |
User & Date: | matt on 2016-09-22 06:28:07 |
Other Links: | manifest | tags |
Context
2016-09-24
| ||
07:07 | Added recovery from bad form. but it is broken and I don't know why. Still seems rare ... check-in: 44c407806c user: matt tags: trunk | |
2016-09-22
| ||
06:28 | Added safe handling for params check-in: 4bccacb50f user: matt tags: trunk | |
2016-09-21
| ||
04:34 | Oops. Use the string result. check-in: 8c0e13bea5 user: matt tags: trunk | |
Changes
Modified doc/howto.txt from [9db6996c14] to [56cd7b3d4f].
︙ | ︙ | |||
141 142 143 144 145 146 147 | (s:input 'type "submit" 'name "form-name" 'value "login")) (s:get-input 'email-address) To preserve the input simply do a set of the value on the 'name field: (s:set! "email-address" "matt@kiatoa.com") | > > > > > > > > > | 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 | (s:input 'type "submit" 'name "form-name" 'value "login")) (s:get-input 'email-address) To preserve the input simply do a set of the value on the 'name field: (s:set! "email-address" "matt@kiatoa.com") Radio buttons: (s:div 'class "col_3" (s:input 'type "radio" 'id "group-type1" 'name "group-type" 'value "private" 'checked "checked") (s:label 'for "group-type1" 'class "inline" "Private") (s:input 'type "radio" 'id "group-type2" 'name "group-type" 'value "public") (s:label 'for "group-type2" 'class "inline" "Public")) (s:get-input 'group-type) ==> returns private or public depending on which is selected. |
Modified session.scm from [05707f5346] to [d1e5e81543].
︙ | ︙ | |||
715 716 717 718 719 720 721 | (cons header pagedat)))) (define (session:log self . msg) (with-output-to-port (sdat-get-log-port self) ;; (sdat-get-logpt self) (lambda () (apply print msg)))) | > > > > > > > > > > > > > > > > > > > > | | | > | 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 | (cons header pagedat)))) (define (session:log self . msg) (with-output-to-port (sdat-get-log-port self) ;; (sdat-get-logpt self) (lambda () (apply print msg)))) ;; escape, convert or return raw when given user input data that potentially ;; could be malicious ;; (define (session:apply-type-preference res params) (let* ((dtype (if (null? params) 'escaped (car params))) (tags (if (null? params) '() (cdr params)))) (case dtype ((raw) res) ((number) (if (string? res)(string->number res) #f)) ((escaped) (if (string? res) (s:html-filter->string res tags) res)) (else (if (string? res) (s:html-filter->string res '()) res))))) (define (session:get-param self key type-params) ;; (session:log s:session "params=" (slot-ref s:session 'params)) (let* ((params (sdat-get-params self)) (res (session:get-param-from params key))) (session:apply-type-preference res type-params))) ;; This one will get the first value found regardless of form ;; param: (dtype [tag1 tag2 ...]) ;; dtype: ;; 'raw : do no conversion ;; 'number : convert to number, return #f if fails ;; 'escaped : use html-escape to protect the input -- this is the default |
︙ | ︙ | |||
766 767 768 769 770 771 772 | (if (and (vector? formdat)(eq? (vector-length formdat) 1)(hash-table? (vector-ref formdat 0))) (formdat:keys formdat) (begin (session:log self "ERROR: formdat: " formdat " is not of class <formdat>") #f))))) (define (session:run-actions self) | | | 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 | (if (and (vector? formdat)(eq? (vector-length formdat) 1)(hash-table? (vector-ref formdat 0))) (formdat:keys formdat) (begin (session:log self "ERROR: formdat: " formdat " is not of class <formdat>") #f))))) (define (session:run-actions self) (let* ((action (session:get-param self 'action '(raw))) (page (sdat-get-page self))) ;; (print "action=" action " page=" page) (if action (let ((action-lst (string-split action "."))) ;; (print "action-lst=" action-lst) (if (not (= (length action-lst) 2)) (err:log "Action should be of form: module.action") |
︙ | ︙ |
Modified setup.scm from [967d19ca83] to [c2c51e03a9].
︙ | ︙ | |||
45 46 47 48 49 50 51 | (if (null? partsl) (session:call s:session page #f) (session:call s:session page (car partsl)))) (define (s:link-to page . params) (session:link-to s:session page params)) | | | | 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | (if (null? partsl) (session:call s:session page #f) (session:call s:session page (car partsl)))) (define (s:link-to page . params) (session:link-to s:session page params)) (define (s:get-param key . type-params) (session:get-param s:session key type-params)) ;; these are page local (define (s:get key) (session:page-get s:session key)) (define (s:set! key val) (session:curr-page-set! s:session key val)) |
︙ | ︙ |