• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7832: Sanitation of form fields

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension TWikiUserMappingContrib Normal Closed   patch 6.1.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

-- TWiki:Main/PeterThoeny - 2018-01-01

Fix:

Index: data/Main/ChangeProfilePicture.txt
===================================================================
--- data/Main/ChangeProfilePicture.txt   (revision 30410)
+++ data/Main/ChangeProfilePicture.txt   (working copy)
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="TWikiContributor" date="1401491605" format="1.1" version="$Rev$"}%
+%META:TOPICINFO{author="TWikiContributor" date="1514787124" format="1.1" version="$Rev$"}%
 ---+ %MAKETEXT{"Change Profile Picture of [_1]" args="%URLPARAM{ "wikiname" default=" " }%" }%
 
 <!--<pre>-->
@@ -112,7 +112,7 @@
 <div class="profileHeader">
 %MAKETEXT{"Current picture"}%:
 </div>
-%CALCULATE{$SET(current-image, %FORMFIELD{ "Image" topic="%URLPARAM{wikiname}%" }%)}%<nop>
+%CALCULATE{$SET(current-image, %FORMFIELD{ "Image" topic="%URLPARAM{wikiname}%" encode="safe" }%)}%<nop>
 <img %IF{
  "'%URLPARAM{wikiname}%'/attachments[name='%CALCULATE{$GET(current-image)}%']"
  then='src="%PUBURLPATH%/%WEB%/%URLPARAM{wikiname}%/%CALCULATE{$GET(current-image)}%" title="%CALCULATE{$GET(cur
rent-image)}%"'
Index: data/Main/UserProfileHeader.txt
===================================================================
--- data/Main/UserProfileHeader.txt   (revision 30410)
+++ data/Main/UserProfileHeader.txt   (working copy)
@@ -1,9 +1,9 @@
-%META:TOPICINFO{author="TWikiContributor" date="1413362552" format="1.1" version="$Rev$"}%
+%META:TOPICINFO{author="TWikiContributor" date="1514787116" format="1.1" version="$Rev$"}%
 ---+ Header of User Profile Pages
 
 __Note:__ This is a maintenance topic, used by the TWiki Administrator.
 
-The part between the horizontal rules gets included at the top of every [[%WIKIUSERSTOPIC%]] profile page. The h
eader can be customized to the needs of your organization. The TWiki:TWiki.UserHomepageSupplement has some additi
onal documentation and ideas on customizing the user profile pages.
+The part between the horizontal rules gets included at the top of every [[%WIKIUSERSTOPIC%]] profile page. The h
eader can be customized to the needs of your organization. The TWiki:TWiki.UserHomepageSupplement has some additi
onal documentation and ideas on customizing the user profile pages. __If you customize this topic make sure to re
apply the changes after a TWiki upgrade.__
 
 -----
 %STARTINCLUDE%
@@ -56,7 +56,7 @@
 <a href="%SCRIPTURL{viewauth}%/%WEB%/ChangeProfilePicture?wikiname=%INCLUDINGTOPIC%" title="%MAKETEXT{"Change pr
ofile picture"}%" class="changePicture" rel="nofollow">&nbsp;<img src='%ICONURLPATH{uweb-bo12}%' width='12' heigh
t='12' alt='' border='0' style='vertical-align: middle' /> %MAKETEXT{"Change"}%&nbsp;</a>
 </div>
 <div id="profilePicture">
-%CALCULATE{$SET(image, %FORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" }%)}%<nop>
+%CALCULATE{$SET(image, %FORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" encode="safe" }%)}%<nop>
 %IF{
  "'%INCLUDINGTOPIC%'/attachments[name='%CALCULATE{$GET(image)}%']"
  then='<a href="%PUBURLPATH%/%WEB%/%INCLUDINGTOPIC%/%CALCULATE{$GET(image)}%" rel="nofollow"><img src="%PUBURLPA
TH%/%WEB%/%INCLUDINGTOPIC%/%CALCULATE{$GET(image)}%" width="200" border="0" alt="" /></a>'
@@ -65,10 +65,10 @@
 </div>
 <div style="margin-top: 5px; overflow: hidden; white-space: nowrap; line-height: 28px; width: 200px;">
 <noautolink>
-%ICON{mail}% %FORMFIELD{ "Email" topic="%INCLUDINGTOPIC%" }% &nbsp;
-%BR%%ICON{phone}% %FORMFIELD{ "Telephone" topic="%INCLUDINGTOPIC%" }% &nbsp;
-%BR%%ICON{mobile}% %FORMFIELD{ "Mobile" topic="%INCLUDINGTOPIC%" }% &nbsp;
-%BR%%ICON{skype}% %FORMFIELD{ "SkypeID" topic="%INCLUDINGTOPIC%" }% &nbsp;
+%ICON{mail}% %FORMFIELD{ "Email" topic="%INCLUDINGTOPIC%" encode="safe" }% &nbsp;
+%BR%%ICON{phone}% %FORMFIELD{ "Telephone" topic="%INCLUDINGTOPIC%" encode="safe" }% &nbsp;
+%BR%%ICON{mobile}% %FORMFIELD{ "Mobile" topic="%INCLUDINGTOPIC%" encode="safe" }% &nbsp;
+%BR%%ICON{skype}% %FORMFIELD{ "SkypeID" topic="%INCLUDINGTOPIC%" encode="safe" }% &nbsp;
 </noautolink>
 </div>
 </td><td valign="top">
@@ -76,7 +76,7 @@
 </td><td valign="top" colspan="3">
 <noautolink>
 <h1>
-%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }% %FORMFIELD{ "LastName" topic="%INCLUDINGTOPIC%" }% <span sty
le="font-size: 60%"> %FORMFIELD{ "StatusUpdate" topic="%INCLUDINGTOPIC%" }%</span>
+%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="safe" }% %FORMFIELD{ "LastName" topic="%INCLUDINGTOPIC%
" encode="safe" }% <span style="font-size: 60%"> %FORMFIELD{ "StatusUpdate" topic="%INCLUDINGTOPIC%" encode="safe
" }%</span>
 </h1>
 </noautolink>
 </td></tr><tr><td></td><td valign="top" class="profileBox">
@@ -88,20 +88,20 @@
 </div>
 <div style="clear: right;"></div>
 <div id="viewInfo">
-|  %MAKETEXT{"Title"}%: | <noautolink> %FORMFIELD{ "Titles" topic="%INCLUDINGTOPIC%" }% </noautolink> |
-|  %MAKETEXT{"Department"}%: | <noautolink> %FORMFIELD{ "Department" topic="%INCLUDINGTOPIC%" }% </noautolink> |
-|  %MAKETEXT{"Organization"}%: | <noautolink> %FORMFIELD{ "Organization" topic="%INCLUDINGTOPIC%" }% </noautolin
k> |
-|  %MAKETEXT{"URL"}%: | %FORMFIELD{ "URL" topic="%INCLUDINGTOPIC%" }% |
-|  %MAKETEXT{"Location"}%: | <noautolink> %FORMFIELD{ "Location" topic="%INCLUDINGTOPIC%" }% </noautolink> |
-|  %MAKETEXT{"Region"}%: | <noautolink> %FORMFIELD{ "Region" topic="%INCLUDINGTOPIC%" }% </noautolink> |
-|  %MAKETEXT{"Country"}%: | <noautolink> %FORMFIELD{ "Country" topic="%INCLUDINGTOPIC%" }% </noautolink> |
+|  %MAKETEXT{"Title"}%: | <noautolink> %FORMFIELD{ "Titles" topic="%INCLUDINGTOPIC%" encode="safe" }% </noautoli
nk> |
+|  %MAKETEXT{"Department"}%: | <noautolink> %FORMFIELD{ "Department" topic="%INCLUDINGTOPIC%" encode="safe" }% <
/noautolink> |
+|  %MAKETEXT{"Organization"}%: | <noautolink> %FORMFIELD{ "Organization" topic="%INCLUDINGTOPIC%" encode="safe" 
}% </noautolink> |
+|  %MAKETEXT{"URL"}%: | %FORMFIELD{ "URL" topic="%INCLUDINGTOPIC%" encode="safe" }% |
+|  %MAKETEXT{"Location"}%: | <noautolink> %FORMFIELD{ "Location" topic="%INCLUDINGTOPIC%" encode="safe" }% </noa
utolink> |
+|  %MAKETEXT{"Region"}%: | <noautolink> %FORMFIELD{ "Region" topic="%INCLUDINGTOPIC%" encode="safe" }% </noautol
ink> |
+|  %MAKETEXT{"Country"}%: | <noautolink> %FORMFIELD{ "Country" topic="%INCLUDINGTOPIC%" encode="safe" }% </noaut
olink> |
 </div>
 </td><td valign="top">
 <img src="%PUBURLPATH%/%WEB%/UserProfileHeader/spacer.gif" width="20" height="1" />
 </td><td valign="top" class="profileBox" style="min-width: 200px; width: 300px;">
 %CALCULATE{$SET(showwatchlist, %IF{ "context WatchlistPluginEnabled AND NOT '%TAGCLOUDPROFILE%'='on'" then="1" e
lse="0" }%)}%<nop>
 <div style="display: %CALCULATE{$IF($GET(showwatchlist), block, none)}%;">
-<b>%MAKETEXT{"Watchlist Changes of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }%"}%</b>
+<b>%MAKETEXT{"Watchlist Changes of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="sa
fe" }%"}%</b>
 <div style="height:18em; min-width: 180px; overflow:hidden; overflow-y:auto; margin-right: -8px;">
 %WATCHLIST{
  "showchanges"
@@ -119,7 +119,7 @@
 </div>
 </div>
 <div style="display: %CALCULATE{$IF($GET(showwatchlist), none, block)}%;">
-<b>%MAKETEXT{"Tag Cloud of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }%"}%</b>
+<b>%MAKETEXT{"Tag Cloud of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="safe" }%"}
%</b>
 <div style="height:18em; min-width: 180px; overflow:hidden; overflow-y:auto;">
 %TAGME{ tpaction="%CALCULATE{$IF($GET(showwatchlist), DISABLE, showalltags)}%" format="<a href=\"%SCRIPTURL{view
}%/%SYSTEMWEB%/TagMeSearch?tag=$tag;by=%INCLUDINGTOPIC%\" style=\"font-size:$size%\">$tag</a>" separator="&nbsp; 
"  minsize="80" maxsize="120" by="%INCLUDINGTOPIC%" }%
 </div>
@@ -131,8 +131,8 @@
 <form action="%SCRIPTURL{save}%/%INCLUDINGWEB%/%INCLUDINGTOPIC%" method="post">
 <table border="0" cellspacing="0" cellpadding="0"><tr><td valign="top" class="profileBox" style="width: 200px;" 
rowspan="2">
 <img src="%IF{
- "'%INCLUDINGTOPIC%'/attachments[name='%FORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" }%']"
- then='%PUBURLPATH%/%WEB%/%INCLUDINGTOPIC%/$percntFORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" }$percnt'
+ "'%INCLUDINGTOPIC%'/attachments[name='%FORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" encode="safe" }%']"
+ then='%PUBURLPATH%/%WEB%/%INCLUDINGTOPIC%/$percntFORMFIELD{ "Image" topic="%INCLUDINGTOPIC%" encode="safe" }$pe
rcnt'
  else='%PUBURLPATH%/%WEB%/UserProfileHeader/default-user-profile.jpg'
 }%" width="200" alt="" />
 <div style="margin-top: 5px; overflow: hidden; white-space: nowrap; line-height: 28px; width: 200px;">
@@ -150,7 +150,7 @@
 <table border="0" cellspacing="0" cellpadding="0"><tr><td valign="top" style="white-space: nowrap">
 <noautolink>
 <h1>
-%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }% %FORMFIELD{ "LastName" topic="%INCLUDINGTOPIC%" }%
+%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="safe" }% %FORMFIELD{ "LastName" topic="%INCLUDINGTOPIC%
" encode="safe" }%
 </h1>
 </noautolink>
 </td><td>&nbsp;</td><td valign="top">
@@ -173,13 +173,13 @@
 <img src="%PUBURLPATH%/%WEB%/UserProfileHeader/spacer.gif" width="20" height="1" />
 </td><td valign="top" class="profileBox" style="min-width: 200px;">
 <div style="display: %CALCULATE{$IF($GET(showwatchlist), block, none)}%;">
-<b>%MAKETEXT{"Watchlist Changes of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }%"}%</b>
+<b>%MAKETEXT{"Watchlist Changes of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="sa
fe" }%"}%</b>
 %BR%%BR%
 <strong><em>%MAKETEXT{"Note:"}%</em></strong>
 %MAKETEXT{"Watch topics to see watchlist changes."}%
 </div>
 <div style="display: %CALCULATE{$IF($GET(showwatchlist), none, block)}%;">
-<b>%MAKETEXT{"Tag Cloud of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" }%"}%</b>
+<b>%MAKETEXT{"Tag Cloud of [_1]:" args="<nop>%FORMFIELD{ "FirstName" topic="%INCLUDINGTOPIC%" encode="safe" }%"}
%</b>
 %BR%%BR%
 <strong><em>%MAKETEXT{"Note:"}%</em></strong>
 %MAKETEXT{"Tag topics to modify your tag cloud."}%
@@ -198,7 +198,7 @@
 
    * Set ALLOWTOPICCHANGE = TWikiAdminGroup
 
-__Related topics:__ [[%WIKIUSERSTOPIC%]], [[%SYSTEMWEB%.UserForm][UserForm]], [[%SYSTEMWEB%.NewUserTemplate][New
UserTemplate]], [[%SYSTEMWEB%.TWikiRegistration][TWikiRegistration]], [[%SYSTEMWEB%.TWikiForms][TWikiForms]]
+__Related topics:__ [[UserList]], [[%WIKIUSERSTOPIC%]], ChangeProfilePicture, %IF{"istopic 'UserForm'" then="[[U
serForm]],"}% %IF{"istopic 'NewUserTemplate'" then="[[NewUserTemplate]],"}% [[%SYSTEMWEB%.UserForm]], [[%SYSTEMWE
B%.NewUserTemplate]], [[%SYSTEMWEB%.TWikiRegistration]], [[%SYSTEMWEB%.TWikiForms]]
 
 %META:FILEATTACHMENT{name="gradient-title.png" attachment="gradient-title.png" attr="h" comment="" date="1307256
050" path="gradient-title.png" size="207" user="TWikiContributor" version="1"}%
 %META:FILEATTACHMENT{name="spacer.gif" attachment="spacer.gif" attr="h" comment="" date="1307260346" path="space
r.gif" size="43" user="TWikiContributor" version="1"}%

-- TWiki:Main/PeterThoeny - 2018-01-01

ItemTemplate
Summary Sanitation of form fields
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 6.0.2
SVN Range TWiki-6.0.2-trunk, Fri, 03 Nov 2017, build 30403
AppliesTo Extension
Component TWikiUserMappingContrib
Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:30417 TWikirev:30418
TargetRelease patch
ReleasedIn 6.1.0
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r6 - 2018-07-17 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback