Fossil

Check-in [ff4c7ed6]
Login

Check-in [ff4c7ed6]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Do not export g.zRelReqURI to TH1 interpreter because getParameter proc can retrieve PATH_INFO and QUERY_STRING. Instead export g.zPath (as $webpagename) since that is typically needed in the TH1 headers/footers of custom skins.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | base-href-fix
Files: files | file ages | folders
SHA3-256: ff4c7ed6096beceb2cf48055e3c475fd11499bb7dfb06abef3fdf41ca27f8e68
User & Date: george 2022-02-14 23:06:12
Context
2022-02-15
00:14
Move <meta charset="UTF-8"> to the begining of the default header. Supply BODY element with a class that derives from $webpagename. ... (check-in: 6d135904 user: george tags: base-href-fix)
2022-02-14
23:06
Do not export g.zRelReqURI to TH1 interpreter because getParameter proc can retrieve PATH_INFO and QUERY_STRING. Instead export g.zPath (as $webpagename) since that is typically needed in the TH1 headers/footers of custom skins. ... (check-in: ff4c7ed6 user: george tags: base-href-fix)
22:43
Make style_set_base_href_suffix() safe for misuse: if the resulting suffix contains unescaped quotes then escape them. $base_href_suffix is intended for interpolation inside of the quoted href attribute. This check-in should address the case when a user of malfunctioning browser (which mishandles quoting) is tricked by an adversary to visit a specially crafted hyperlink. ... (check-in: d97752f3 user: george tags: base-href-fix)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/style.c. 

791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810

  if( zTitle ) Th_Store("title", zTitle);
  Th_Store("baseurl", g.zBaseURL);
  Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
  Th_Store("home", g.zTop);
  Th_Store("index_page", db_get("index-page","/home"));
  if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath);
  Th_Store("current_page", local_zCurrentPage);
  if( local_zBaseHrefSuffix==0 ){
    style_set_base_href_suffix("%s",g.zRelReqURI);
    /* %s because g.zRelReqURI is already encoded (FIXME: really so?) */
  }
  Th_Store("base_href_suffix", local_zBaseHrefSuffix);
  Th_Store("relrequri", g.zRelReqURI);
  Th_Store("csrf_token", g.zCsrfToken);
  Th_Store("release_version", RELEASE_VERSION);
  Th_Store("manifest_version", MANIFEST_VERSION);
  Th_Store("manifest_date", MANIFEST_DATE);
  Th_Store("compiler_name", COMPILER_NAME);
  Th_Store("mainmenu", style_get_mainmenu());
  stylesheet_url_var();








<
|
<
<

|








791
792
793
794
795
796
797

798


799
800
801
802
803
804
805
806
807

  if( zTitle ) Th_Store("title", zTitle);
  Th_Store("baseurl", g.zBaseURL);
  Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
  Th_Store("home", g.zTop);
  Th_Store("index_page", db_get("index-page","/home"));
  if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath);
  Th_Store("current_page", local_zCurrentPage);

  if( !local_zBaseHrefSuffix ) style_set_base_href_suffix("%s",g.zRelReqURI);


  Th_Store("base_href_suffix", local_zBaseHrefSuffix);
  Th_Store("webpagename", g.zPath);
  Th_Store("csrf_token", g.zCsrfToken);
  Th_Store("release_version", RELEASE_VERSION);
  Th_Store("manifest_version", MANIFEST_VERSION);
  Th_Store("manifest_date", MANIFEST_DATE);
  Th_Store("compiler_name", COMPILER_NAME);
  Th_Store("mainmenu", style_get_mainmenu());
  stylesheet_url_var();