Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Merge search box fixes from the 3.22.0 branch. |
|---|---|
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
848c37b010f054d49c4726515ebefbe9 |
| User & Date: | drh 2018-03-09 18:11:48 |
Context
|
2018-03-10
| ||
| 12:05 | Fix a typo on the printf.html page. check-in: 5c4f29e7bd user: drh tags: trunk | |
|
2018-03-09
| ||
| 18:11 | Merge search box fixes from the 3.22.0 branch. check-in: 848c37b010 user: drh tags: trunk | |
| 18:11 | Further improvements to the search script. check-in: 55959de4e8 user: drh tags: branch-3.22 | |
|
2018-03-08
| ||
| 16:27 | Improvements to SQLite Archive documentation. check-in: 7647551ed3 user: drh tags: trunk | |
Changes
Changes to search/search.tcl.in.
235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 |
wapp-subst {</center>\n}
}
}
# This is the main entry point into the search result page generator
#
proc wapp-default {} {
wapp-content-security-policy off
wapp-allow-xorigin-params
if {[wapp-param-exists env]} {
search_header
wapp-trim {
<h1>Environment Dump For Debugging</h1>
<pre>%html([wapp-debug-env])</pre>
}
|
| |
235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 |
wapp-subst {</center>\n}
}
}
# This is the main entry point into the search result page generator
#
proc wapp-default {} {
wapp-content-security-policy {default-src 'self' 'unsafe-inline'}
wapp-allow-xorigin-params
if {[wapp-param-exists env]} {
search_header
wapp-trim {
<h1>Environment Dump For Debugging</h1>
<pre>%html([wapp-debug-env])</pre>
}
|
Changes to search/wapp.tcl.
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 .. 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 ... 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 ... 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 ... 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 ... 623 624 625 626 627 628 629 630 631 632 633 634 635 636 |
# substitutions are made:
#
# %html(...) Escape text for inclusion in HTML
# %url(...) Escape text for use as a URL
# %qp(...) Escape text for use as a URI query parameter
# %string(...) Escape text for use within a JSON string
# %unsafe(...) No transformations of the text
#
# The %unsafe substitution should be avoided whenever possible, obviously.
# In addition to the substitutions above, the text also does backslash
# escapes.
#
proc wapp-subst {txt} {
global wapp
regsub -all {%(html|url|qp|string|unsafe)\(([^)]+)\)} $txt \
{[wappInt-enc-\1 "\2"]} txt
dict append wapp .reply [uplevel 1 [list subst -novariables $txt]]
}
# There must be a wappInt-enc-NAME routine for each possible substitution
# in wapp-subst. Thus there are routines for "html", "url", "qp", and "unsafe".
#
# wappInt-enc-html Escape text so that it is safe to use in the
................................................................................
# wappInt-enc-url Escape text so that it is safe to pass as an
# argument to href= and src= attributes in HTML.
#
# wappInt-enc-qp Escape text so that it is safe to use as the
# value of a query parameter in a URL or in
# post data or in a cookie.
#
# wappInt-enc-string Escape ", ', and \ for using inside of a
# javascript string literal.
#
# wappInt-enc-unsafe Perform no encoding at all. Unsafe.
#
proc wappInt-enc-html {txt} {
return [string map {& & < < > >} $txt]
}
proc wappInt-enc-unsafe {txt} {
return $txt
}
proc wappInt-enc-url {s} {
if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
set s [subst -novar -noback $s]
................................................................................
}
if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} {
set s [subst -novar -noback $s]
}
return $s
}
proc wappInt-enc-string {s} {
return [string map {\\ \\\\ \" \\\" ' \\'} $s]
}
# Works like wapp-subst, but also removes whitespace from the beginning
# of lines.
#
proc wapp-trim {txt} {
global wapp
regsub -all {\n\s+} [string trim $txt] \n txt
regsub -all {%(html|url|qp|string|unsafe)\(([^)]+)\)} $txt \
{[wappInt-enc-\1 "\2"]} txt
dict append wapp .reply [uplevel 1 [list subst -novariables $txt]]
}
# This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns
# an appropriate %HH encoding for the single character c. If c is a unicode
# character, then this routine might return multiple bytes: %HH%HH%HH
#
proc wappInt-%HHchar {c} {
................................................................................
set qsplit [split $qterm =]
set nm [lindex $qsplit 0]
if {[regexp {^[a-z][a-z0-9]*$} $nm]} {
dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
}
}
}
if {[dict exists $wapp CONTENT_TYPE]
&& [dict get $wapp CONTENT_TYPE]=="application/x-www-form-urlencoded"
&& [dict exists $wapp CONTENT]
} {
foreach qterm [split [string trim [dict get $wapp CONTENT]] &] {
set qsplit [split $qterm =]
set nm [lindex $qsplit 0]
if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
}
}
}
# To-Do: Perhaps add support for multipart/form-data decoding.
# Alternatively, perhaps multipart/form-data decoding can be done
# by application code using a separate helper function, like
# "wapp_decode_multipart_formdata" or somesuch.
}
# Invoke application-supplied methods to generate a reply to
# a single HTTP request.
#
# This routine always runs within [catch], so handle exceptions by
# invoking [error].
................................................................................
set qsplit [split [string trim $qterm] =]
set nm [lindex $qsplit 0]
if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
}
}
}
if {[dict exists $wapp HTTP_REFERER]
&& [string match [dict get $wapp BASE_URL]/* [dict get $wapp HTTP_REFERER]]
} {
set same_origin 1
} else {
set same_origin 0
}
dict set wapp SAME_ORIGIN $same_origin
if {$same_origin} {
wappInt-decode-query-params
}
# Invoke the application-defined handler procedure for this page
................................................................................
if {[catch {
if {$mname!="" && [llength [info proc wapp-page-$mname]]>0} {
wapp-page-$mname
} else {
wapp-default
}
} msg]} {
wapp-reset
wapp-reply-code "500 Internal Server Error"
wapp-mimetype text/html
wapp-trim {
<h1>Wapp Application Error</h1>
<pre>%html($::errorInfo)</pre>
}
|
> > > > > > > > > > > > | | > > > > > > > > > > > | | > > | | < < < < < < < < < < < | | | < | | | | | | | > > > > > > > > > > > > > > > | < < < < > > > > | | < | | | > > > > |
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 .. 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 ... 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 ... 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 ... 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 ... 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 |
# substitutions are made: # # %html(...) Escape text for inclusion in HTML # %url(...) Escape text for use as a URL # %qp(...) Escape text for use as a URI query parameter # %string(...) Escape text for use within a JSON string # %unsafe(...) No transformations of the text # # The substitutions above terminate at the first ")" character. If the # text of the TCL string in ... contains ")" characters itself, use instead: # # %html%(...)% # %url%(...)% # %qp%(...)% # %string%(...)% # %unsafe%(...)% # # In other words, use "%(...)%" instead of "(...)" to include the TCL string # to substitute. # # The %unsafe substitution should be avoided whenever possible, obviously. # In addition to the substitutions above, the text also does backslash # escapes. # proc wapp-subst {txt} { global wapp regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \ {[wappInt-enc-\1 "\3"]} txt dict append wapp .reply [uplevel 1 [list subst -novariables $txt]] } # Works like wapp-subst, but also removes whitespace from the beginning # of lines. # proc wapp-trim {txt} { global wapp regsub -all {\n\s+} [string trim $txt] \n txt regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \ {[wappInt-enc-\1 "\3"]} txt dict append wapp .reply [uplevel 1 [list subst -novariables $txt]] } # There must be a wappInt-enc-NAME routine for each possible substitution # in wapp-subst. Thus there are routines for "html", "url", "qp", and "unsafe". # # wappInt-enc-html Escape text so that it is safe to use in the ................................................................................ # wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # # wappInt-enc-string Escape ", ', \, and < for using inside of a # javascript string literal. The < character # is escaped to prevent "</script>" from causing # problems in embedded javascript. # # wappInt-enc-unsafe Perform no encoding at all. Unsafe. # proc wappInt-enc-html {txt} { return [string map {& & < < > > \" " \\ \} $txt] } proc wappInt-enc-unsafe {txt} { return $txt } proc wappInt-enc-url {s} { if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} { set s [subst -novar -noback $s] ................................................................................ } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s] } # This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns # an appropriate %HH encoding for the single character c. If c is a unicode # character, then this routine might return multiple bytes: %HH%HH%HH # proc wappInt-%HHchar {c} { ................................................................................ set qsplit [split $qterm =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][a-z0-9]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } if {[dict exists $wapp CONTENT_TYPE] && [dict exists $wapp CONTENT]} { set ctype [dict get $wapp CONTENT_TYPE] if {$ctype=="application/x-www-form-urlencoded"} { foreach qterm [split [string trim [dict get $wapp CONTENT]] &] { set qsplit [split $qterm =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } elseif {[string match multipart/form-data* $ctype]} { regexp {^(.*?)\r\n(.*)$} [dict get $wapp CONTENT] all divider body set ndiv [string length $divider] while {[string length $body]} { set idx [string first $divider $body] set unit [string range $body 0 [expr {$idx-3}]] set body [string range $body [expr {$idx+$ndiv+2}] end] if {[regexp {^Content-Disposition: form-data; (.*?)\r\n\r\n(.*)$} \ $unit unit hdr content] && [regexp {name="(.*)"; filename="(.*)"\r\nContent-Type: (.*?)$}\ $hdr hr name filename mimetype]} { dict set wapp $name.filename \ [string map [list \\\" \" \\\\ \\] $filename] dict set wapp $name.mimetype $mimetype dict set wapp $name.content $content } } } } } # Invoke application-supplied methods to generate a reply to # a single HTTP request. # # This routine always runs within [catch], so handle exceptions by # invoking [error]. ................................................................................ set qsplit [split [string trim $qterm] =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } set same_origin 0 if {[dict exists $wapp HTTP_REFERER]} { set referer [dict get $wapp HTTP_REFERER] set base [dict get $wapp BASE_URL] if {$referer==$base || [string match $base/* $referer]} { set same_origin 1 } } dict set wapp SAME_ORIGIN $same_origin if {$same_origin} { wappInt-decode-query-params } # Invoke the application-defined handler procedure for this page ................................................................................ if {[catch { if {$mname!="" && [llength [info proc wapp-page-$mname]]>0} { wapp-page-$mname } else { wapp-default } } msg]} { if {[wapp-param WAPP_MODE]=="local" || [wapp-param WAPP_MODE]=="server"} { puts "ERROR: $::errorInfo" } wapp-reset wapp-reply-code "500 Internal Server Error" wapp-mimetype text/html wapp-trim { <h1>Wapp Application Error</h1> <pre>%html($::errorInfo)</pre> } |