Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Change the action= attribute of <form> elements using javascript, as an additional defense against spam-bots. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
dfa3579455cd3491bf159e9af3ef18c7 |
| User & Date: | drh 2012-11-20 22:13:58.607 |
Context
|
2012-11-20
| ||
| 22:28 | Centralize escaping of reserved HTML characters in the captcha output. ... (check-in: a460326337 user: mistachkin tags: trunk) | |
| 22:13 | Change the action= attribute of <form> elements using javascript, as an additional defense against spam-bots. ... (check-in: dfa3579455 user: drh tags: trunk) | |
| 20:31 | When db_open_config() is called with the useAttach parameter set to non-zero, it may need to close and reopen the database using ATTACH if that was not done previously. ... (check-in: fb04f27829 user: drh tags: trunk) | |
Changes
Changes to src/attach.c.
| ︙ | ︙ | |||
316 317 318 319 320 321 322 |
attach_put(&manifest, rid, needModerator);
assert( blob_is_reset(&manifest) );
db_end_transaction(0);
cgi_redirect(zFrom);
}
style_header("Add Attachment");
@ <h2>Add Attachment To %s(zTargetType)</h2>
| < | > | 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 |
attach_put(&manifest, rid, needModerator);
assert( blob_is_reset(&manifest) );
db_end_transaction(0);
cgi_redirect(zFrom);
}
style_header("Add Attachment");
@ <h2>Add Attachment To %s(zTargetType)</h2>
form_begin("enctype='multipart/form-data'", "%R/attachadd");
@ <div>
@ File to Attach:
@ <input type="file" name="f" size="60" /><br />
@ Description:<br />
@ <textarea name="comment" cols="80" rows="5" wrap="virtual"></textarea><br />
if( zTkt ){
@ <input type="hidden" name="tkt" value="%h(zTkt)" />
}else{
|
| ︙ | ︙ | |||
431 432 433 434 435 436 437 |
db_end_transaction(0);
@ <p>The attachment below has been deleted.</p>
}
if( P("del")
&& ((zTktUuid && g.perm.WrTkt) || (zWikiName && g.perm.WrWiki))
){
| | | 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 |
db_end_transaction(0);
@ <p>The attachment below has been deleted.</p>
}
if( P("del")
&& ((zTktUuid && g.perm.WrTkt) || (zWikiName && g.perm.WrWiki))
){
form_begin(0, "%R/ainfo/%s", zUuid);
@ <p>Confirm you want to delete the attachment shown below.
@ <input type="submit" name="confirm" value="Confirm">
@ </form>
}
isModerator = (zTktUuid && g.perm.ModTkt) || (zWikiName && g.perm.ModWiki);
if( isModerator && (zModAction = P("modaction"))!=0 ){
|
| ︙ | ︙ | |||
495 496 497 498 499 500 501 |
}
@ <tr><th valign="top">Description:</th><td valign="top">%h(zDesc)</td></tr>
@ </table>
if( isModerator && modPending ){
@ <div class="section">Moderation</div>
@ <blockquote>
| | | 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 |
}
@ <tr><th valign="top">Description:</th><td valign="top">%h(zDesc)</td></tr>
@ </table>
if( isModerator && modPending ){
@ <div class="section">Moderation</div>
@ <blockquote>
form_begin(0, "%R/ainfo/%s", zUuid);
@ <label><input type="radio" name="modaction" value="delete">
@ Delete this change</label><br />
@ <label><input type="radio" name="modaction" value="approve">
@ Approve this change</label><br />
@ <input type="submit" value="Submit">
@ </form>
@ </blockquote>
|
| ︙ | ︙ |
Changes to src/captcha.c.
| ︙ | ︙ | |||
250 251 252 253 254 255 256 |
" / /_ ",
"|____|",
/* 3 */
" ____ ",
"|___ \\ ",
" __) |",
| | | 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 |
" / /_ ",
"|____|",
/* 3 */
" ____ ",
"|___ \\ ",
" __) |",
" |__ < ",
" ___) |",
"|____/ ",
/* 4 */
" _ _ ",
"| || | ",
"| || |_ ",
|
| ︙ | ︙ | |||
290 291 292 293 294 295 296 |
" / / ",
" /_/ ",
/* 8 */
" ___ ",
" / _ \\ ",
"| (_) |",
| | | 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 |
" / / ",
" /_/ ",
/* 8 */
" ___ ",
" / _ \\ ",
"| (_) |",
" > _ < ",
"| (_) |",
" \\___/ ",
/* 9 */
" ___ ",
" / _ \\ ",
"| (_) |",
|
| ︙ | ︙ | |||
314 315 316 317 318 319 320 |
" / ____ \\ ",
"/_/ \\_\\",
/* B */
" ____ ",
"| _ \\ ",
"| |_) |",
| | | 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 |
" / ____ \\ ",
"/_/ \\_\\",
/* B */
" ____ ",
"| _ \\ ",
"| |_) |",
"| _ < ",
"| |_) |",
"|____/ ",
/* C */
" _____ ",
" / ____|",
"| | ",
|
| ︙ | ︙ |
Changes to src/info.c.
| ︙ | ︙ | |||
2181 2182 2183 2184 2185 2186 2187 |
}
@ </blockquote>
@ <hr />
blob_reset(&suffix);
}
@ <p>Make changes to attributes of check-in
@ [%z(href("%R/ci/%s",zUuid))%s(zUuid)</a>]:</p>
| | | | 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 |
}
@ </blockquote>
@ <hr />
blob_reset(&suffix);
}
@ <p>Make changes to attributes of check-in
@ [%z(href("%R/ci/%s",zUuid))%s(zUuid)</a>]:</p>
form_begin(0, "%R/ci_edit");
login_insert_csrf_secret();
@ <div><input type="hidden" name="r" value="%S(zUuid)" />
@ <table border="0" cellspacing="10">
@ <tr><td align="right" valign="top"><b>User:</b></td>
@ <td valign="top">
@ <input type="text" name="u" size="20" value="%h(zNewUser)" />
@ </td></tr>
|
| ︙ | ︙ |
Changes to src/login.c.
| ︙ | ︙ | |||
563 564 565 566 567 568 569 |
}
}
style_header("Login/Logout");
@ %s(zErrMsg)
if( zGoto && P("anon")==0 ){
@ <p>A login is required for <a href="%h(zGoto)">%h(zGoto)</a>.</p>
}
| | | 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 |
}
}
style_header("Login/Logout");
@ %s(zErrMsg)
if( zGoto && P("anon")==0 ){
@ <p>A login is required for <a href="%h(zGoto)">%h(zGoto)</a>.</p>
}
form_begin(0, "%R/login");
if( zGoto ){
@ <input type="hidden" name="g" value="%h(zGoto)" />
}
@ <table class="login_out">
@ <tr>
@ <td class="login_out_label">User ID:</td>
if( anonFlag ){
|
| ︙ | ︙ | |||
650 651 652 653 654 655 656 |
}
@ </form>
if( g.perm.Password ){
@ <hr />
@ <p>To change your password, enter your old password and your
@ new password twice below then press the "Change Password"
@ button.</p>
| | | 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 |
}
@ </form>
if( g.perm.Password ){
@ <hr />
@ <p>To change your password, enter your old password and your
@ new password twice below then press the "Change Password"
@ button.</p>
form_begin(0, "%R/login");
@ <table>
@ <tr><td class="login_out_label">Old Password:</td>
@ <td><input type="password" name="p" size="30" /></td></tr>
@ <tr><td class="login_out_label">New Password:</td>
@ <td><input type="password" name="n1" size="30" /></td></tr>
@ <tr><td class="login_out_label">Repeat New Password:</td>
@ <td><input type="password" name="n2" size="30" /></td></tr>
|
| ︙ | ︙ | |||
1258 1259 1260 1261 1262 1263 1264 | /* Prepare the captcha. */ uSeed = captcha_seed(); zDecoded = captcha_decode(uSeed); zCaptcha = captcha_render(zDecoded); /* Print out the registration form. */ | | | 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 |
/* Prepare the captcha. */
uSeed = captcha_seed();
zDecoded = captcha_decode(uSeed);
zCaptcha = captcha_render(zDecoded);
/* Print out the registration form. */
form_begin(0, "%R/register");
if( P("g") ){
@ <input type="hidden" name="g" value="%h(P("g"))" />
}
@ <p><input type="hidden" name="cs" value="%u(uSeed)" />
@ <table class="login_out">
@ <tr>
@ <td class="login_out_label" align="right">User ID:</td>
|
| ︙ | ︙ |
Changes to src/style.c.
| ︙ | ︙ | |||
45 46 47 48 49 50 51 | /* ** remember, if a sidebox was used */ static int sideboxUsed = 0; /* | | > > | 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | /* ** remember, if a sidebox was used */ static int sideboxUsed = 0; /* ** List of hyperlinks and forms that need to be resolved by javascript in ** the footer. */ char **aHref = 0; int nHref = 0; int nHrefAlloc = 0; char **aFormAction = 0; int nFormAction = 0; /* ** Generate and return a anchor tag like this: ** ** <a href="URL"> ** or <a id="ID"> ** |
| ︙ | ︙ | |||
117 118 119 120 121 122 123 124 125 126 127 128 129 |
if( nHref>=nHrefAlloc ){
nHrefAlloc = nHrefAlloc*2 + 10;
aHref = fossil_realloc(aHref, nHrefAlloc*sizeof(aHref[0]));
}
aHref[nHref++] = zUrl;
return mprintf("<a id=%d>", nHref);
}
/*
** Generate javascript that will set the href= attribute on all anchors.
*/
void style_resolve_href(void){
int i;
| > > > > > > > > > > > > > > > > > > > > > > | > > > > | 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
if( nHref>=nHrefAlloc ){
nHrefAlloc = nHrefAlloc*2 + 10;
aHref = fossil_realloc(aHref, nHrefAlloc*sizeof(aHref[0]));
}
aHref[nHref++] = zUrl;
return mprintf("<a id=%d>", nHref);
}
/*
** Generate <form method="post" action=ARG>. The ARG value is inserted
** by javascript.
*/
void form_begin(const char *zOtherArgs, const char *zAction, ...){
char *zLink;
va_list ap;
if( zOtherArgs==0 ) zOtherArgs = "";
va_start(ap, zAction);
zLink = vmprintf(zAction, ap);
va_end(ap);
if( g.perm.Hyperlink && !g.javascriptHyperlink ){
@ <form method="POST" action="%z(zLink)" %s(zOtherArgs)>
}else{
int n;
aFormAction = fossil_realloc(aFormAction, (nFormAction+1)*sizeof(char*));
aFormAction[nFormAction++] = zLink;
n = nFormAction;
@ <form id="form%d(n)" method="POST" action='%R/login' %s(zOtherArgs)>
}
}
/*
** Generate javascript that will set the href= attribute on all anchors.
*/
void style_resolve_href(void){
int i;
if( !g.perm.Hyperlink || !g.javascriptHyperlink ) return;
if( nHref==0 && nFormAction==0 ) return;
@ <script type="text/JavaScript">
@ /* <![CDATA[ */
@ function u(i,h){gebi(i).href=h;}
for(i=0; i<nHref; i++){
@ u(%d(i+1),"%s(aHref[i])");
}
for(i=0; i<nFormAction; i++){
@ gebi("form%d(i+1)").action="%s(aFormAction[i])";
}
@ /* ]]> */
@ </script>
}
/*
** Add a new element to the submenu
*/
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
520 521 522 523 524 525 526 |
}
style_header("New Ticket");
if( g.thTrace ) Th_Trace("BEGIN_TKTNEW<br />\n", -1);
ticket_init();
getAllTicketFields();
initializeVariablesFromDb();
initializeVariablesFromCGI();
| | | 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 |
}
style_header("New Ticket");
if( g.thTrace ) Th_Trace("BEGIN_TKTNEW<br />\n", -1);
ticket_init();
getAllTicketFields();
initializeVariablesFromDb();
initializeVariablesFromCGI();
form_begin(0, "%R/%s", g.zPath);
login_insert_csrf_secret();
if( P("date_override") && g.perm.Setup ){
@ <input type="hidden" name="date_override" value="%h(P("date_override"))">
}
@ </p>
zScript = ticket_newpage_code();
Th_Store("login", g.zLogin);
|
| ︙ | ︙ | |||
589 590 591 592 593 594 595 |
return;
}
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT<br />\n", -1);
ticket_init();
getAllTicketFields();
initializeVariablesFromCGI();
initializeVariablesFromDb();
| | | 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 |
return;
}
if( g.thTrace ) Th_Trace("BEGIN_TKTEDIT<br />\n", -1);
ticket_init();
getAllTicketFields();
initializeVariablesFromCGI();
initializeVariablesFromDb();
form_begin(0, "%R/%s", g.zPath);
@ <input type="hidden" name="name" value="%s(zName)" />
login_insert_csrf_secret();
@ </p>
zScript = ticket_editpage_code();
Th_Store("login", g.zLogin);
Th_Store("date", db_text(0, "SELECT datetime('now')"));
Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);
|
| ︙ | ︙ |
Changes to src/wiki.c.
| ︙ | ︙ | |||
158 159 160 161 162 163 164 |
}
}
@ <li> %z(href("%R/wcontent"))List of All Wiki Pages</a>
@ available on this server.</li>
if( g.perm.ModWiki ){
@ <li> %z(href("%R/modreq"))Tend to pending moderation requests</a></li>
}
| | > | | 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
}
}
@ <li> %z(href("%R/wcontent"))List of All Wiki Pages</a>
@ available on this server.</li>
if( g.perm.ModWiki ){
@ <li> %z(href("%R/modreq"))Tend to pending moderation requests</a></li>
}
@ <li>
form_begin(0, "%R/wfind");
@ <div>Search wiki titles: <input type="text" name="title"/>
@ <input type="submit" /></div></form>
@ </li>
@ </ul>
style_footer();
return;
}
if( check_name(zPageName) ) return;
|
| ︙ | ︙ | |||
355 356 357 358 359 360 361 |
for(n=2, z=zBody; z[0]; z++){
if( z[0]=='\n' ) n++;
}
if( n<20 ) n = 20;
if( n>30 ) n = 30;
if( !isWysiwyg ){
/* Traditional markup-only editing */
| | > | | | 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 |
for(n=2, z=zBody; z[0]; z++){
if( z[0]=='\n' ) n++;
}
if( n<20 ) n = 20;
if( n>30 ) n = 30;
if( !isWysiwyg ){
/* Traditional markup-only editing */
form_begin(0, "%R/wikiedit");
@ <div>
@ <textarea name="w" class="wikiedit" cols="80"
@ rows="%d(n)" wrap="virtual">%h(zBody)</textarea>
@ <br />
if( db_get_boolean("wysiwyg-wiki", 0) ){
@ <input type="submit" name="edit-wysiwyg" value="Wysiwyg Editor"
@ onclick='return confirm("Switching to WYSIWYG-mode\nwill erase your markup\nedits. Continue?")' />
}
@ <input type="submit" name="preview" value="Preview Your Changes" />
}else{
/* Wysiwyg editing */
Blob html, temp;
form_begin("onsubmit='wysiwygSubmit()'", "%R/wikiedit");
@ <div>
@ <input type="hidden" name="wysiwyg" value="1" />
blob_zero(&temp);
wiki_convert(&wiki, &temp, 0);
blob_zero(&html);
htmlTidy(blob_str(&temp), &html);
blob_reset(&temp);
wysiwygEditor("w", blob_str(&html), 60, n);
|
| ︙ | ︙ | |||
417 418 419 420 421 422 423 |
}else{
cgi_redirectf("wikiedit?name=%T", zName);
}
}
style_header("Create A New Wiki Page");
@ <p>Rules for wiki page names:</p>
well_formed_wiki_name_rules();
| | | 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 |
}else{
cgi_redirectf("wikiedit?name=%T", zName);
}
}
style_header("Create A New Wiki Page");
@ <p>Rules for wiki page names:</p>
well_formed_wiki_name_rules();
form_begin(0, "%R/wikinew");
@ <p>Name of new wiki page:
@ <input style="width: 35;" type="text" name="name" value="%h(zName)" />
@ <input type="submit" value="Create" />
@ </p></form>
if( zName[0] ){
@ <p><span class="wikiError">
@ "%h(zName)" is not a valid wiki page name!</span></p>
|
| ︙ | ︙ | |||
542 543 544 545 546 547 548 |
appendRemark(&preview);
@ Preview:<hr>
wiki_convert(&preview, 0, 0);
@ <hr>
blob_reset(&preview);
}
zUser = PD("u", g.zLogin);
| | | 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 |
appendRemark(&preview);
@ Preview:<hr>
wiki_convert(&preview, 0, 0);
@ <hr>
blob_reset(&preview);
}
zUser = PD("u", g.zLogin);
form_begin(0, "%R/wikiappend");
login_insert_csrf_secret();
@ <input type="hidden" name="name" value="%h(zPageName)" />
@ Your Name:
@ <input type="text" name="u" size="20" value="%h(zUser)" /><br />
@ Comment to append:<br />
@ <textarea name="r" class="wikiedit" cols="80"
@ rows="10" wrap="virtual">%h(PD("r",""))</textarea>
|
| ︙ | ︙ |