X-Git-Url: http://git.shiar.net/perl/plp/.git/blobdiff_plain/b485fa6bb934e79d44a1be1b5e41e31f4e7129b1..958d374e19b67a3c68050a1dd29f7a10a44c74c9:/lib/PLP/Functions.pm diff --git a/lib/PLP/Functions.pm b/lib/PLP/Functions.pm index 90ff741..2a4bb99 100644 --- a/lib/PLP/Functions.pm +++ b/lib/PLP/Functions.pm @@ -3,11 +3,13 @@ package PLP::Functions; use strict; use warnings; -use Exporter qw(import); +use base 'Exporter'; +use Carp; use Fcntl qw(:flock); -our $VERSION = '1.00'; +our $VERSION = '1.01'; our @EXPORT = qw/Entity DecodeURI EncodeURI Include include PLP_END + EscapeHTML AddCookie ReadFile WriteFile AutoURL Counter exit/; sub Include ($) { @@ -16,7 +18,7 @@ sub Include ($) { $PLP::inA = 0; $PLP::inB = 0; local $@; - eval 'package PLP::Script; ' . PLP::source($PLP::file, 0, join ' ', (caller)[2,1]); + eval 'package PLP::Script; no warnings; ' . PLP::source($PLP::file, 0, join ' ', (caller)[2,1]); if ($@) { PLP::Functions::exit() if $@ =~ /\cS\cT\cO\cP/; PLP::error($@, 1); @@ -35,9 +37,23 @@ sub PLP_END (&) { push @PLP::END, shift; } +sub EscapeHTML { + @_ == 1 or croak "Unsupported parameters given to EscapeHTML"; + unshift @_, shift if defined wantarray; # dereference if not void + for ($_[0]) { + defined or next; + s/&/&/g; + s/"/"/g; + s//>/g; + } + return $_[0]; +} + sub Entity (@) { my $ref = defined wantarray ? [@_] : \@_; for (@$ref) { + defined or next; eval { s/&/&/g; s/"/"/g; @@ -54,6 +70,7 @@ sub Entity (@) { sub DecodeURI (@) { my $ref = defined wantarray ? [@_] : \@_; for (@$ref) { + defined or next; eval { tr/+/ /; # Browsers do tr/ /+/ - I don't care about RFCs, but # I do care about real-life situations. @@ -66,6 +83,7 @@ sub DecodeURI (@) { sub EncodeURI (@) { my $ref = defined wantarray ? [@_] : \@_; for (@$ref) { + defined or next; eval { s{([^A-Za-z0-9\-_.!~*'()/?:@\$,])}{sprintf("%%%02x", ord $1)}ge; }; @@ -75,7 +93,7 @@ sub EncodeURI (@) { sub AddCookie ($) { if ($PLP::Script::header{'Set-Cookie'}) { - $PLP::Script::header{'Set-Cookie'} .= "\nSet-Cookie: $_[0]"; + $PLP::Script::header{'Set-Cookie'} .= "\n" . $_[0]; } else { $PLP::Script::header{'Set-Cookie'} = $_[0]; } @@ -207,17 +225,36 @@ Adds a piece of code that is executed when at the end of the PLP document. This You should use this function instead of Perl's built-in C blocks, because those do not work properly with mod_perl. +=item EscapeHTML STRING + +Replaces HTML syntax characters by HTML entities, so the text can be output safely. +You should always use this when displaying user input (or database output), +to avoid cross-site-scripting vurnerabilities. + +In void context, B the value of the given variable. + + <: EscapeHTML($user_input); print "
$user_input
"; :> + +In other contexts, returns the changed version. + + + +Be warned that single quotes are not substituted, so always use double quotes for attributes. +Also does not convert whitespace for formatted output; use Entity() for that. + +To escape high-bit characters as well, refer to L. + =item Entity LIST -Replaces HTML syntax characters by HTML entities, so they can be displayed literally. You should always use this when displaying user input (or database output), to avoid cross-site-scripting vurnerabilities. +Formats given arguments for literal display in HTML documents. +Similar to EscapeHTML(), but also preserves newlines and consecutive spaces +using corresponding C<<
>> and C< > respectively. In void context, B the values of the given variables. In other contexts, returns the changed versions. - <: print Entity($user_input); :> + <: print '

' . Entity($user_input) . '

'; :> -Be warned that this function also HTMLizes consecutive whitespace and newlines (using   and
respectively). -For simple escaping, use L. -To escape high-bit characters as well, use L. +Inside attributes, always use EscapeHTML() instead. =item EncodeURI LIST @@ -232,7 +269,7 @@ Note that the following reserved characters are I percent-encoded, even tho / ? : @ $ This should be safe for escaping query values (as in the example above), -but it may be a better idea to use L instead. +but otherwise it may be a better idea to use L instead. =item DecodeURI LIST