Tcl Library Source Code

Check-in [212d1feefe]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ticket [09110adc43] - html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value. Package version bumped to 1.4.4. Extended the testsuite.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 212d1feefe48dcc8827044ad53f5b35070660ca7
User & Date: andreask 2015-02-26 19:26:18
References
2015-02-26
19:27 Closed ticket [09110adc43]: Cross-Site-Scripting (XSS) in html::textarea plus 6 other changes artifact: 088be66bcc user: aku
Context
2015-03-02
19:41
struct::pool - Modified error generation code to throw errors with a proper structured error code to support try/finally. Updated testsuite to match small changes in the error messages. Package version bumped to 1.2.2. check-in: 4ef518871c user: andreask tags: trunk
2015-02-26
19:26
Ticket [09110adc43] - html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value. Package version bumped to 1.4.4. Extended the testsuite. check-in: 212d1feefe user: andreask tags: trunk
2015-02-24
23:20
Ticket [8e643b5d66] - coroutine, coroutine::auto. Fixed mishandling of "gets" when called without any arguments. Version bumped to 1.1.3 (both). check-in: 45c988bdfc user: andreask tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to modules/html/html.man.

1
2
3
4
5
6
7
8
9
[comment {-*- tcl -*- doctools manpage}]
[vset HTML_VERSION 1.4.3]
[manpage_begin html n [vset HTML_VERSION]]
[see_also htmlparse]
[see_also ncgi]
[keywords checkbox]
[keywords checkbutton]
[keywords form]
[keywords html]

|







1
2
3
4
5
6
7
8
9
[comment {-*- tcl -*- doctools manpage}]
[vset HTML_VERSION 1.4.4]
[manpage_begin html n [vset HTML_VERSION]]
[see_also htmlparse]
[see_also ncgi]
[keywords checkbox]
[keywords checkbutton]
[keywords form]
[keywords html]

Changes to modules/html/html.tcl.

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# See the file "license.terms" for information on usage and redistribution
# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
#
# Originally by Brent Welch, with help from Dan Kuchler and Melissa Chawla

package require Tcl 8.2
package require ncgi
package provide html 1.4.3

namespace eval ::html {

    # State about the current page

    variable page








|







11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# See the file "license.terms" for information on usage and redistribution
# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
#
# Originally by Brent Welch, with help from Dan Kuchler and Melissa Chawla

package require Tcl 8.2
package require ncgi
package provide html 1.4.4

namespace eval ::html {

    # State about the current page

    variable page

908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
#	param		The various size, multiple parameters for the tag
#	current		Value to assume if nothing is in CGI state
#
# Results:
#	The html fragment

proc ::html::textarea {name {param {}} {current {}}} {
    ::set value [ncgi::value $name $current]
    return "<[string trimright \
	"textarea name=\"$name\"\
		[tagParam textarea $param]"]>$value</textarea>\n"
}

# ::html::submit --
#







|







908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
#	param		The various size, multiple parameters for the tag
#	current		Value to assume if nothing is in CGI state
#
# Results:
#	The html fragment

proc ::html::textarea {name {param {}} {current {}}} {
    ::set value [quoteFormValue [ncgi::value $name $current]]
    return "<[string trimright \
	"textarea name=\"$name\"\
		[tagParam textarea $param]"]>$value</textarea>\n"
}

# ::html::submit --
#

Changes to modules/html/html.test.

449
450
451
452
453
454
455












456
457
458
459
460
461
462
	textarea.rows 8
    }
    ncgi::reset info=[ncgi::encode "The textarea value."]
    ncgi::parse
    html::textarea info
} {<textarea name="info" cols="50" rows="8">The textarea value.</textarea>
}













test html-24.1 {html::submit} {
    catch {html::submit}
} {1}

test html-24.2 {html::submit} {
    catch {html::submit wrong num args}







>
>
>
>
>
>
>
>
>
>
>
>







449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
	textarea.rows 8
    }
    ncgi::reset info=[ncgi::encode "The textarea value."]
    ncgi::parse
    html::textarea info
} {<textarea name="info" cols="50" rows="8">The textarea value.</textarea>
}

test html-23.3 {html::textarea, dangerous input} {
    html::init {
	textarea.cols 50
	textarea.rows 8
    }
    ncgi::reset info=[ncgi::encode "</textarea><script>alert(1)</script>"]
    ncgi::parse
    html::textarea info
} {<textarea name="info" cols="50" rows="8">&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;</textarea>
}


test html-24.1 {html::submit} {
    catch {html::submit}
} {1}

test html-24.2 {html::submit} {
    catch {html::submit wrong num args}

Changes to modules/html/pkgIndex.tcl.

1
2
if {![package vsatisfies [package provide Tcl] 8.2]} {return}
package ifneeded html 1.4.3 [list source [file join $dir html.tcl]]

|
1
2
if {![package vsatisfies [package provide Tcl] 8.2]} {return}
package ifneeded html 1.4.4 [list source [file join $dir html.tcl]]