Francois Gouget : testbot: Always escape GetPageTitle() and GetTitle() before putting them in an HTML page.

7 Aug 2014

Module: tools
Branch: master
Commit: 4197bd0045bc3a03828c6d797972f2e17c3cb94d
URL:    http://source.winehq.org/git/tools.git/?a=commit;h=4197bd0045bc3a03828c6d797...
Author: Francois Gouget fgouget@codeweavers.com
Date:   Thu Aug  7 01:20:58 2014 +0200
testbot: Always escape GetPageTitle() and GetTitle() before putting them in an HTML page.
---
testbot/lib/ObjectModel/CGI/CollectionPage.pm |  2 +-
 testbot/lib/ObjectModel/CGI/FormPage.pm       |  2 +-
 testbot/lib/ObjectModel/CGI/ItemPage.pm       | 13 ++-----------
 testbot/lib/ObjectModel/CGI/Page.pm           | 22 ++++++++++++++++++++++
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/CollectionPage.pm b/testbot/lib/ObjectModel/CGI/CollectionPage.pm
index e0714bf..1652190 100644
--- a/testbot/lib/ObjectModel/CGI/CollectionPage.pm
+++ b/testbot/lib/ObjectModel/CGI/CollectionPage.pm
@@ -65,7 +65,7 @@ sub GenerateTitle($)
   my $Title = $self->GetTitle();
   if ($Title)
   {
-    print "<h1>$Title</h1>\n";
+    print "<h1>", $self->escapeHTML($Title), "</h1>\n";
   }
 }
diff --git a/testbot/lib/ObjectModel/CGI/FormPage.pm b/testbot/lib/ObjectModel/CGI/FormPage.pm
index 740b97e..197cdb9 100644
--- a/testbot/lib/ObjectModel/CGI/FormPage.pm
+++ b/testbot/lib/ObjectModel/CGI/FormPage.pm
@@ -87,7 +87,7 @@ sub GenerateTitle($)
   my $Title = $self->GetTitle();
   if ($Title)
   {
-    print "<h1>$Title</h1>\n";
+    print "<h1>", $self->CGI->escapeHTML($Title), "</h1>\n";
   }
 }
diff --git a/testbot/lib/ObjectModel/CGI/ItemPage.pm b/testbot/lib/ObjectModel/CGI/ItemPage.pm
index f434dd3..7c6b361 100644
--- a/testbot/lib/ObjectModel/CGI/ItemPage.pm
+++ b/testbot/lib/ObjectModel/CGI/ItemPage.pm
@@ -92,17 +92,8 @@ sub GetTitle($)
 {
   my ($self) = @_;
-  my $Title;
-  if ($self->GetParam("Key"))
-  {
-    $Title = $self->GetParam("Key");
-  }
-  else
-  {
-    $Title = "Add " . $self->{Collection}->GetItemName();
-  }
-
-  return $self->escapeHTML($Title);
+  return $self->GetParam("Key") ? $self->GetParam("Key") :
+             "Add " . $self->{Collection}->GetItemName();
 }
sub DisplayProperty($$)
diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 7946603..2abe066 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -113,6 +113,17 @@ sub SetCookies($)
   $self->{PageBase}->SetCookies($self);
 }
+=pod
+=over 12
+
+=head1 C<GetPageTitle()>
+
+This returns the page title as put in the HTML header.
+Note that this may not be valid HTML and thus need escaping.
+
+=back
+=cut
+
 sub GetPageTitle($)
 {
   my ($self) = @_;
@@ -120,6 +131,17 @@ sub GetPageTitle($)
   return $self->{PageBase}->GetPageTitle($self);
 }
+=pod
+=over 12
+
+=head1 C<GetTitle()>
+
+This returns the title for the current web page or email section.
+Note that this may not be valid HTML and thus need escaping.
+
+=back
+=cut
+
 sub GetTitle($)
 {
   #my ($self) = @_;

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Francois Gouget : testbot: Always escape GetPageTitle() and GetTitle() before putting them in an HTML page.