Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Merge search box fixes from the 3.22.0 branch. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
848c37b010f054d49c4726515ebefbe9 |
User & Date: | drh 2018-03-09 18:11:48.173 |
Context
2018-03-10
| ||
12:05 | Fix a typo on the printf.html page. (check-in: 5c4f29e7bd user: drh tags: trunk) | |
2018-03-09
| ||
18:11 | Merge search box fixes from the 3.22.0 branch. (check-in: 848c37b010 user: drh tags: trunk) | |
18:11 | Further improvements to the search script. (check-in: 55959de4e8 user: drh tags: branch-3.22) | |
2018-03-08
| ||
16:27 | Improvements to SQLite Archive documentation. (check-in: 7647551ed3 user: drh tags: trunk) | |
Changes
Changes to search/search.tcl.in.
︙ | ︙ | |||
235 236 237 238 239 240 241 | wapp-subst {</center>\n} } } # This is the main entry point into the search result page generator # proc wapp-default {} { | | | 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 | wapp-subst {</center>\n} } } # This is the main entry point into the search result page generator # proc wapp-default {} { wapp-content-security-policy {default-src 'self' 'unsafe-inline'} wapp-allow-xorigin-params if {[wapp-param-exists env]} { search_header wapp-trim { <h1>Environment Dump For Debugging</h1> <pre>%html([wapp-debug-env])</pre> } |
︙ | ︙ |
Changes to search/wapp.tcl.
︙ | ︙ | |||
51 52 53 54 55 56 57 58 59 60 61 62 63 64 | # substitutions are made: # # %html(...) Escape text for inclusion in HTML # %url(...) Escape text for use as a URL # %qp(...) Escape text for use as a URI query parameter # %string(...) Escape text for use within a JSON string # %unsafe(...) No transformations of the text # # The %unsafe substitution should be avoided whenever possible, obviously. # In addition to the substitutions above, the text also does backslash # escapes. # proc wapp-subst {txt} { global wapp | > > > > > > > > > > > > | | > > > > > > > > > > > | | > > | | 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | # substitutions are made: # # %html(...) Escape text for inclusion in HTML # %url(...) Escape text for use as a URL # %qp(...) Escape text for use as a URI query parameter # %string(...) Escape text for use within a JSON string # %unsafe(...) No transformations of the text # # The substitutions above terminate at the first ")" character. If the # text of the TCL string in ... contains ")" characters itself, use instead: # # %html%(...)% # %url%(...)% # %qp%(...)% # %string%(...)% # %unsafe%(...)% # # In other words, use "%(...)%" instead of "(...)" to include the TCL string # to substitute. # # The %unsafe substitution should be avoided whenever possible, obviously. # In addition to the substitutions above, the text also does backslash # escapes. # proc wapp-subst {txt} { global wapp regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \ {[wappInt-enc-\1 "\3"]} txt dict append wapp .reply [uplevel 1 [list subst -novariables $txt]] } # Works like wapp-subst, but also removes whitespace from the beginning # of lines. # proc wapp-trim {txt} { global wapp regsub -all {\n\s+} [string trim $txt] \n txt regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \ {[wappInt-enc-\1 "\3"]} txt dict append wapp .reply [uplevel 1 [list subst -novariables $txt]] } # There must be a wappInt-enc-NAME routine for each possible substitution # in wapp-subst. Thus there are routines for "html", "url", "qp", and "unsafe". # # wappInt-enc-html Escape text so that it is safe to use in the # body of an HTML document. # # wappInt-enc-url Escape text so that it is safe to pass as an # argument to href= and src= attributes in HTML. # # wappInt-enc-qp Escape text so that it is safe to use as the # value of a query parameter in a URL or in # post data or in a cookie. # # wappInt-enc-string Escape ", ', \, and < for using inside of a # javascript string literal. The < character # is escaped to prevent "</script>" from causing # problems in embedded javascript. # # wappInt-enc-unsafe Perform no encoding at all. Unsafe. # proc wappInt-enc-html {txt} { return [string map {& & < < > > \" " \\ \} $txt] } proc wappInt-enc-unsafe {txt} { return $txt } proc wappInt-enc-url {s} { if {[regsub -all {[^-{}@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} { set s [subst -novar -noback $s] |
︙ | ︙ | |||
106 107 108 109 110 111 112 | } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { | | < < < < < < < < < < < | 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 | } if {[regsub -all {[{}]} $s {[wappInt-%HHchar \\&]} s]} { set s [subst -novar -noback $s] } return $s } proc wappInt-enc-string {s} { return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c} $s] } # This is a helper routine for wappInt-enc-url and wappInt-enc-qp. It returns # an appropriate %HH encoding for the single character c. If c is a unicode # character, then this routine might return multiple bytes: %HH%HH%HH # proc wappInt-%HHchar {c} { |
︙ | ︙ | |||
517 518 519 520 521 522 523 | set qsplit [split $qterm =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][a-z0-9]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } | | | < | | | | | | | | > > > > > > > > > > > > > > > | < < < < > > > | 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 | set qsplit [split $qterm =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][a-z0-9]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } if {[dict exists $wapp CONTENT_TYPE] && [dict exists $wapp CONTENT]} { set ctype [dict get $wapp CONTENT_TYPE] if {$ctype=="application/x-www-form-urlencoded"} { foreach qterm [split [string trim [dict get $wapp CONTENT]] &] { set qsplit [split $qterm =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } elseif {[string match multipart/form-data* $ctype]} { regexp {^(.*?)\r\n(.*)$} [dict get $wapp CONTENT] all divider body set ndiv [string length $divider] while {[string length $body]} { set idx [string first $divider $body] set unit [string range $body 0 [expr {$idx-3}]] set body [string range $body [expr {$idx+$ndiv+2}] end] if {[regexp {^Content-Disposition: form-data; (.*?)\r\n\r\n(.*)$} \ $unit unit hdr content] && [regexp {name="(.*)"; filename="(.*)"\r\nContent-Type: (.*?)$}\ $hdr hr name filename mimetype]} { dict set wapp $name.filename \ [string map [list \\\" \" \\\\ \\] $filename] dict set wapp $name.mimetype $mimetype dict set wapp $name.content $content } } } } } # Invoke application-supplied methods to generate a reply to # a single HTTP request. # # This routine always runs within [catch], so handle exceptions by # invoking [error]. |
︙ | ︙ | |||
597 598 599 600 601 602 603 | set qsplit [split [string trim $qterm] =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } | > | | < | | | > > > > | 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 | set qsplit [split [string trim $qterm] =] set nm [lindex $qsplit 0] if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} { dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]] } } } set same_origin 0 if {[dict exists $wapp HTTP_REFERER]} { set referer [dict get $wapp HTTP_REFERER] set base [dict get $wapp BASE_URL] if {$referer==$base || [string match $base/* $referer]} { set same_origin 1 } } dict set wapp SAME_ORIGIN $same_origin if {$same_origin} { wappInt-decode-query-params } # Invoke the application-defined handler procedure for this page # request. If an error occurs while running that procedure, generate # an HTTP reply that contains the error message. # wapp-before-dispatch-hook wappInt-trace set mname [dict get $wapp PATH_HEAD] if {[catch { if {$mname!="" && [llength [info proc wapp-page-$mname]]>0} { wapp-page-$mname } else { wapp-default } } msg]} { if {[wapp-param WAPP_MODE]=="local" || [wapp-param WAPP_MODE]=="server"} { puts "ERROR: $::errorInfo" } wapp-reset wapp-reply-code "500 Internal Server Error" wapp-mimetype text/html wapp-trim { <h1>Wapp Application Error</h1> <pre>%html($::errorInfo)</pre> } |
︙ | ︙ |