3de82ff7fd9de5151f140a8282713eaed47881c2 galt Sat Oct 1 11:57:01 2016 -0700 Fixing bug with textarea. Because browser submits linefeeds as CRLF and even converts CR to CRLF, and we were converting LF to an html entity neglecting CR, we got a strange expansion of newlines (and pipe chars under ff) every time hgVai is submitted. It looks like old code that is safe to remove, so the html-entity encoding of LF in htmlEncode is gone. This is intended to simplify things. Refs#17782. diff --git src/lib/htmshell.c src/lib/htmshell.c index 894646c..9d5d0a0 100644 --- src/lib/htmshell.c +++ src/lib/htmshell.c @@ -201,69 +201,75 @@ *to = '\0'; return scrubbed; } char *htmlWarnEncode(char *s) /* Returns a cloned string with newlines replaced by BR tag. Meant to be displayed with warn popup box. */ { int size = strlen(s); size += countChars(s,'\n') * 4; char *cleanQuote = needMem(size+1); safecpy(cleanQuote,size+1,s); strSwapStrs(cleanQuote, size,"\n","<BR>" ); // use BR tag for new lines -if (cgiClientBrowser(NULL,NULL,NULL) == btFF) // Firefox - strSwapStrs(cleanQuote, size, "|", "<BR>"); // replace with BR tag -else - strSwapStrs(cleanQuote, size, "
", "<BR>"); // replace with BR tag +// No Longer necessary. They mess up textareas which have CR LF when posted. +// I am commenting them out now 2016-10-01. TODO REMOVE if not needed. +//if (cgiClientBrowser(NULL,NULL,NULL) == btFF) // Firefox +// strSwapStrs(cleanQuote, size, "|", "<BR>"); // replace with BR tag +//else +// strSwapStrs(cleanQuote, size, "
", "<BR>"); // replace with BR tag return cleanQuote; } int htmlEncodeTextExtended(char *s, char *out, int outSize) /* Replaces required punctuation characters with html entities to fight XSS. * out result must be large enough to receive the encoded string. * Returns size of encoded string or -1 if output larger than outSize. * To just get the final encoded size, pass in NULL for out and 0 for outSize. * To output without checking sizes, pass in non-NULL for out and 0 for outSize. */ { -boolean FF = FALSE; -if (cgiClientBrowser(NULL,NULL,NULL) == btFF) - FF = TRUE; +// No Longer necessary. They mess up textareas which have CR LF when posted. +// I am commenting them out now 2016-10-01. TODO REMOVE if not needed. +//boolean FF = FALSE; +//if (cgiClientBrowser(NULL,NULL,NULL) == btFF) +// FF = TRUE; int total = 0; char c = 0; do { c=*s++; int size = 1; char *newString = NULL; if (c == '&') { size = 5; newString = "&"; } // '&' start a control char if (c == '>') { size = 4; newString = ">" ; } // '>' close of tag if (c == '<') { size = 4; newString = "<" ; } // '<' open of tag - if (c == '\n') - { - size = 6; - if (FF) - newString = "|"; // FF does not support! Use "|" for '|' instead - else - newString = "
"; // '\n' is supported on some browsers - } + // No Longer necessary. They mess up textareas which have CR LF when posted. + // I am commenting them out now 2016-10-01. TODO REMOVE if not needed. + //if (c == '\n') + //{ + //size = 6; + //if (FF) + //newString = "|"; // FF does not support! Use "|" for '|' instead + //else + //newString = "
"; // '\n' is supported on some browsers + //} if (c == '/') { size = 6; newString = "/"; } // forward slash helps end an HTML entity if (c == '"') { size = 6; newString = """; } // double quote if (c == '\'') { size = 5; newString = "'" ; } // single quote if (out) { if (outSize > 0 && (total+size+1) > outSize) // 1 for terminator { *out = 0; return -1; } if (size == 1) *out++ = c; else { strncpy(out, newString, size);