diff options
| author | Joey Hess <joey@kodama.kitenet.net> | 2008-07-06 15:52:04 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kodama.kitenet.net> | 2008-07-06 15:52:04 -0400 |
| commit | 05124f9a86dadca50c693d57f8fc8398fb5d8be9 (patch) | |
| tree | 65c81b6a7a0c3dbf850782b4b8320b458f95ff0a /IkiWiki/CGI.pm | |
| parent | badfb9a5c91b92d0e6a61f331bcaff6683ee11bc (diff) | |
| download | ikiwiki-05124f9a86dadca50c693d57f8fc8398fb5d8be9.tar ikiwiki-05124f9a86dadca50c693d57f8fc8398fb5d8be9.tar.gz | |
editpage escaping fixes
* The editpage form now uses the raw page name, not the page title, in its
'page' cgi parameter. Using the title was ambiguous and made it
impossible to tell between some pages, like "foo/bar" and "foo__47__bar",
sometimes causing the wrong page to be edited.
* This change means that some edit links need to be updated.
Force a rebuild on upgrade to this version.
* Above change also allowed really fixing escaped slashes from the blogpost
form.
Diffstat (limited to 'IkiWiki/CGI.pm')
| -rw-r--r-- | IkiWiki/CGI.pm | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 07e92322f..99cead64f 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -301,10 +301,9 @@ sub cgi_editpage ($$) { #{{{ }); decode_form_utf8($form); - # This untaint is safe because titlepage removes any problematic - # characters. + # This untaint is safe because we check file_pruned. my $page=$form->field('page'); - $page=titlepage(possibly_foolish_untaint($page)); + $page=possibly_foolish_untaint($page); if (! defined $page || ! length $page || file_pruned($page, $config{srcdir}) || $page=~/^\//) { error("bad page name"); @@ -354,7 +353,7 @@ sub cgi_editpage ($$) { #{{{ $form->field(name => "from", type => 'hidden'); $form->field(name => "rcsinfo", type => 'hidden'); $form->field(name => "subpage", type => 'hidden'); - $form->field(name => "page", value => pagetitle($page, 1), force => 1); + $form->field(name => "page", value => $page, force => 1); $form->field(name => "type", value => $type, force => 1); $form->field(name => "comments", type => "text", size => 80); $form->field(name => "editcontent", type => "textarea", rows => 20, @@ -486,8 +485,8 @@ sub cgi_editpage ($$) { #{{{ $form->tmpl_param("page_select", 1); $form->field(name => "page", type => 'select', - options => [ map { pagetitle($_, 1) } @editable_locs ], - value => pagetitle($best_loc, 1)); + options => [ map { [ $_, pagetitle($_, 1) ] } @editable_locs ], + value => $best_loc); $form->field(name => "type", type => 'select', options => \@page_types); $form->title(sprintf(gettext("creating %s"), pagetitle($page))); |