Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Ticket [09110adc43] - html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value. Package version bumped to 1.4.4. Extended the testsuite. |
---|---|
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
212d1feefe48dcc8827044ad53f5b350 |
User & Date: | andreask 2015-02-26 19:26:18 |
References
2015-02-26
| ||
19:27 | • Closed ticket [09110adc43]: Cross-Site-Scripting (XSS) in html::textarea plus 6 other changes artifact: 088be66bcc user: aku | |
Context
2015-03-02
| ||
19:41 | struct::pool - Modified error generation code to throw errors with a proper structured error code to support try/finally. Updated testsuite to match small changes in the error messages. Package version bumped to 1.2.2. check-in: 4ef518871c user: andreask tags: trunk | |
2015-02-26
| ||
19:26 | Ticket [09110adc43] - html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value. Package version bumped to 1.4.4. Extended the testsuite. check-in: 212d1feefe user: andreask tags: trunk | |
2015-02-24
| ||
23:20 | Ticket [8e643b5d66] - coroutine, coroutine::auto. Fixed mishandling of "gets" when called without any arguments. Version bumped to 1.1.3 (both). check-in: 45c988bdfc user: andreask tags: trunk | |
Changes
Changes to modules/html/html.man.
1 | [comment {-*- tcl -*- doctools manpage}] | | | 1 2 3 4 5 6 7 8 9 | [comment {-*- tcl -*- doctools manpage}] [vset HTML_VERSION 1.4.4] [manpage_begin html n [vset HTML_VERSION]] [see_also htmlparse] [see_also ncgi] [keywords checkbox] [keywords checkbutton] [keywords form] [keywords html] |
︙ | ︙ |
Changes to modules/html/html.tcl.
︙ | ︙ | |||
11 12 13 14 15 16 17 | # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # # Originally by Brent Welch, with help from Dan Kuchler and Melissa Chawla package require Tcl 8.2 package require ncgi | | | 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # # Originally by Brent Welch, with help from Dan Kuchler and Melissa Chawla package require Tcl 8.2 package require ncgi package provide html 1.4.4 namespace eval ::html { # State about the current page variable page |
︙ | ︙ | |||
908 909 910 911 912 913 914 | # param The various size, multiple parameters for the tag # current Value to assume if nothing is in CGI state # # Results: # The html fragment proc ::html::textarea {name {param {}} {current {}}} { | | | 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 | # param The various size, multiple parameters for the tag # current Value to assume if nothing is in CGI state # # Results: # The html fragment proc ::html::textarea {name {param {}} {current {}}} { ::set value [quoteFormValue [ncgi::value $name $current]] return "<[string trimright \ "textarea name=\"$name\"\ [tagParam textarea $param]"]>$value</textarea>\n" } # ::html::submit -- # |
︙ | ︙ |
Changes to modules/html/html.test.
︙ | ︙ | |||
449 450 451 452 453 454 455 456 457 458 459 460 461 462 | textarea.rows 8 } ncgi::reset info=[ncgi::encode "The textarea value."] ncgi::parse html::textarea info } {<textarea name="info" cols="50" rows="8">The textarea value.</textarea> } test html-24.1 {html::submit} { catch {html::submit} } {1} test html-24.2 {html::submit} { catch {html::submit wrong num args} | > > > > > > > > > > > > | 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 | textarea.rows 8 } ncgi::reset info=[ncgi::encode "The textarea value."] ncgi::parse html::textarea info } {<textarea name="info" cols="50" rows="8">The textarea value.</textarea> } test html-23.3 {html::textarea, dangerous input} { html::init { textarea.cols 50 textarea.rows 8 } ncgi::reset info=[ncgi::encode "</textarea><script>alert(1)</script>"] ncgi::parse html::textarea info } {<textarea name="info" cols="50" rows="8"></textarea><script>alert(1)</script></textarea> } test html-24.1 {html::submit} { catch {html::submit} } {1} test html-24.2 {html::submit} { catch {html::submit wrong num args} |
︙ | ︙ |
Changes to modules/html/pkgIndex.tcl.
1 | if {![package vsatisfies [package provide Tcl] 8.2]} {return} | | | 1 2 | if {![package vsatisfies [package provide Tcl] 8.2]} {return} package ifneeded html 1.4.4 [list source [file join $dir html.tcl]] |