Fix html injections

2025-06-07 14:17:26 -04:00 · 2016-06-18 15:25:34 -04:00 · 2016-06-18 15:25:34 -04:00 · 559459e710
commit 559459e710
parent c1490cd15c
4 changed files with 102 additions and 41 deletions
--- a/app.pl
+++ b/app.pl
@ -87,7 +87,7 @@ sub get_eval {

 get '/' => sub {
    my $c    = shift;
-    $c->stash({pastedata => q{}, channels => \%channels, viewing => 0, page_tmpl => 'editor.html.tt'});
+    $c->stash({pastedata => q{}, channels => \%channels, page_tmpl => 'editor.html'});
    $c->render("page");
 };
 get '/pastebin' => sub {$_[0]->redirect_to('/')};
@ -112,8 +112,8 @@ get '/edit/:pasteid' => sub {
    my $row = $dbh->selectrow_hashref("SELECT * FROM posts WHERE id = ? LIMIT 1", {}, $pasteid);

    if ($row->{when}) {
-        $c->stash({pastedata => $row->{paste}, channels => \%channels, viewing => 0});
-        $c->stash({page_tmpl => 'editor.html.tt'});
+        $c->stash({pastedata => $row->{paste}, channels => \%channels});
+        $c->stash({page_tmpl => 'editor.html'});

        $c->render('page');
    } else {
@ -128,9 +128,10 @@ get '/pastebin/:pasteid' => sub {
    my $row = $dbh->selectrow_hashref("SELECT * FROM posts WHERE id = ? LIMIT 1", {}, $pasteid);

    if ($row->{when}) {
-        $c->stash({pastedata => $row->{paste}, channels => \%channels, viewing => 1});
        $c->stash($row);
-        $c->stash({page_tmpl => 'editor.html.tt'});
+        $c->stash({page_tmpl => 'viewer.html'});
+        $c->stash({eval => get_eval($pasteid, $row->{paste})});
+        $c->stash({paste_id => $pasteid});

        $c->render('page');
    } else {
--- a/pastes.db
+++ b/pastes.db
--- a/templates/editor.html.tt
+++ b/templates/editor.html.tt
@ -20,35 +20,23 @@

 [% BLOCK page_header %]
 <div class="row">
-  [% IF viewing %]
-    <div class="col-md-3">
-      <b>Who: </b>[% who %]
-    </div>
-    <div class="col-md-3">
-      <b>When: </b>[% when %]
-    </div>
-    <div class="col-md-6">
-      <b>What: </b>[% what %]
-    </div>
-  [% ELSE %]
-    <div class="col-md-3">
-      <label for="name">Who: </label>
-      <input size="20" name="name" placeholder="Anonymous" />
-    </div>
-    <div class="col-md-3">
-      <label for="chan">Where: </label>
-      <select name="chan" id="chan">
-          <option value="">-- IRC Channel --</option>
-      [% FOREACH channel = channels %]
-          <option value="[% channel.key %]">[% channel.value %]</option>
-      [% END %]
-      </select>
-    </div>
-    <div class="col-md-6">
-      <label for="desc">What: </label>
-      <input size="40" name="desc" placeholder="I broke this" />
-    </div>
-  [% END %]
+  <div class="col-md-3">
+    <label for="name">Who: </label>
+    <input size="20" name="name" placeholder="Anonymous" />
+  </div>
+  <div class="col-md-3">
+    <label for="chan">Where: </label>
+    <select name="chan" id="chan">
+        <option value="">-- IRC Channel --</option>
+    [% FOREACH channel = channels %]
+        <option value="[% channel.key %]">[% channel.value %]</option>
+    [% END %]
+    </select>
+  </div>
+  <div class="col-md-6">
+    <label for="desc">What: </label>
+    <input size="40" name="desc" placeholder="I broke this" />
+  </div>
 </div>
 [% END %]

@ -62,14 +50,12 @@
      </div>
      <div class="panel-body">
        <div class="editors">
-        <textarea name="paste" id="paste" cols="80" rows="25">[% pastedata %]</textarea>
+        <textarea name="paste" id="paste" cols="80" rows="25">[% pastedata | html %]</textarea>
        <pre id="editor">
        </pre>
        </div>
        <div class="panel-footer">
-          [% UNLESS viewing %]
          <input value="Submit" type="submit" id="submit" />
-          [% END %]
        </div>
      </div>
    </div>
@ -84,10 +70,6 @@
    //editor.setTheme("ace/theme/twilight");
    editor.session.setMode("ace/mode/perl");

-    [% IF viewing %]
-        editor.setReadOnly(true);
-    [% END %]
-
    function resizeAce() {
      var h = window.innerHeight;
      if (h > 360) {
--- a/templates/viewer.html
+++ b/templates/viewer.html
@ -0,0 +1,78 @@
+[% BLOCK body_style %]
+<style type="text/css" media="screen">
+    #editor {
+      margin: auto;
+      position: relative !important;
+      width: 100%;
+    }
+
+    html, body, #content {
+      width: 100%;
+    }
+  </style>
+[% END %]
+
+[% BLOCK page_header %]
+<div class="row">
+    <div class="col-md-3">
+      <b>Who: </b>[% who | html %]
+    </div>
+    <div class="col-md-3">
+      <b>When: </b>[% when %]
+    </div>
+    <div class="col-md-6">
+      <b>What: </b>[% what | html %]
+    </div>
+</div>
+[% END %]
+
+[% BLOCK body %]
+<form action="/edit/[% paste_id %]" method="GET" id="form">
+    <div id="content" class="container">
+      <div class="panel">
+        <div class="panel-heading">
+         [% PROCESS page_header %]
+        </div>
+      </div>
+      <div class="panel-body">
+        <div class="row">
+          <div class="col-md-6">
+            <pre id="editor">[% paste | html %]</pre>
+          </div>
+          <div id="eval" class="col-md-6">
+            <h3>Program Output:</h3>
+            <pre>[% eval | html %]</pre>
+          </div>
+        </div>
+        <div class="panel-footer">
+          <input value="Fork and Edit" type="submit" id="submit" />
+        </div>
+      </div>
+    </div>
+</form>
+
+<script src="/static/ace/ace.js" type="text/javascript" charset="utf-8"></script>
+<script>
+    var editor = ace.edit("editor");
+    //editor.setTheme("ace/theme/twilight");
+    editor.session.setMode("ace/mode/perl");
+
+    editor.setReadOnly(true);
+
+    function resizeAce() {
+      var h = window.innerHeight;
+      if (h > 360) {
+        $('#editor').css('height', (h - 175).toString() + 'px');
+      }
+    };
+    $(window).on('resize', function () {
+      resizeAce();
+    });
+    resizeAce();
+
+    $("#submit").on('click', function () {
+        $("#paste").text(editor.getValue()); // copy to the textarea
+    });
+
+</script>
+[% END %]