From 559459e71015c8c7a59896e5ef47dfb35202e972 Mon Sep 17 00:00:00 2001 From: Ryan Voots Date: Sat, 18 Jun 2016 15:25:34 -0400 Subject: [PATCH] Fix html injections --- app.pl | 11 +-- pastes.db | Bin 8192 -> 9216 bytes templates/{editor.html.tt => editor.html} | 54 +++++---------- templates/viewer.html | 78 ++++++++++++++++++++++ 4 files changed, 102 insertions(+), 41 deletions(-) rename templates/{editor.html.tt => editor.html} (62%) create mode 100755 templates/viewer.html diff --git a/app.pl b/app.pl index 677f371..78e57ca 100755 --- a/app.pl +++ b/app.pl @@ -87,7 +87,7 @@ sub get_eval { get '/' => sub { my $c = shift; - $c->stash({pastedata => q{}, channels => \%channels, viewing => 0, page_tmpl => 'editor.html.tt'}); + $c->stash({pastedata => q{}, channels => \%channels, page_tmpl => 'editor.html'}); $c->render("page"); }; get '/pastebin' => sub {$_[0]->redirect_to('/')}; @@ -112,8 +112,8 @@ get '/edit/:pasteid' => sub { my $row = $dbh->selectrow_hashref("SELECT * FROM posts WHERE id = ? LIMIT 1", {}, $pasteid); if ($row->{when}) { - $c->stash({pastedata => $row->{paste}, channels => \%channels, viewing => 0}); - $c->stash({page_tmpl => 'editor.html.tt'}); + $c->stash({pastedata => $row->{paste}, channels => \%channels}); + $c->stash({page_tmpl => 'editor.html'}); $c->render('page'); } else { @@ -128,9 +128,10 @@ get '/pastebin/:pasteid' => sub { my $row = $dbh->selectrow_hashref("SELECT * FROM posts WHERE id = ? LIMIT 1", {}, $pasteid); if ($row->{when}) { - $c->stash({pastedata => $row->{paste}, channels => \%channels, viewing => 1}); $c->stash($row); - $c->stash({page_tmpl => 'editor.html.tt'}); + $c->stash({page_tmpl => 'viewer.html'}); + $c->stash({eval => get_eval($pasteid, $row->{paste})}); + $c->stash({paste_id => $pasteid}); $c->render('page'); } else { diff --git a/pastes.db b/pastes.db index fa175eb7a204c25cac8c51faf4a8051942bcd16d..69022547e335c4ced2e673754483f3153ed1dcaf 100644 GIT binary patch delta 599 zcmZp0Xz-XI&8o@3z`!|C!JbibW5N<<9wz2*Kmi6$=HJZUHVd#kXJ%nw;85HAo1KM) zQDYMii+~s>LlFbhKBhJ%J;qOrs~No*bs2Us6iqCQsCQH2U}$9I<>h55POMZ=vMEk3 z$}A{R$VtpgFHKBOwN=VWEK7t4D%mCGq!yKEsHc<`B&uuL=tG36fE?u(~444^YT+tl?zgfa)5Tel2&17 z&_y^s$u2uJ+eSYL?4axM%0LGhgJkhJ27vXS_AR|9A>Kf+z;L8^`jQg!4YRY*U)xjZi)HDu@POHc{$9!l<-~hed#o cm2ou#(>|s)COyVajH@>m&Sc!YS~ipk0Eo8}9smFU diff --git a/templates/editor.html.tt b/templates/editor.html similarity index 62% rename from templates/editor.html.tt rename to templates/editor.html index e2f054b..fc40a48 100755 --- a/templates/editor.html.tt +++ b/templates/editor.html @@ -20,35 +20,23 @@ [% BLOCK page_header %]
- [% IF viewing %] -
- Who: [% who %] -
-
- When: [% when %] -
-
- What: [% what %] -
- [% ELSE %] -
- - -
-
- - -
-
- - -
- [% END %] +
+ + +
+
+ + +
+
+ + +
[% END %] @@ -62,14 +50,12 @@
- +
- [% UNLESS viewing %] - [% END %]
@@ -84,10 +70,6 @@ //editor.setTheme("ace/theme/twilight"); editor.session.setMode("ace/mode/perl"); - [% IF viewing %] - editor.setReadOnly(true); - [% END %] - function resizeAce() { var h = window.innerHeight; if (h > 360) { diff --git a/templates/viewer.html b/templates/viewer.html new file mode 100755 index 0000000..d5e30b1 --- /dev/null +++ b/templates/viewer.html @@ -0,0 +1,78 @@ +[% BLOCK body_style %] + +[% END %] + +[% BLOCK page_header %] +
+
+ Who: [% who | html %] +
+
+ When: [% when %] +
+
+ What: [% what | html %] +
+
+[% END %] + +[% BLOCK body %] +
+
+
+
+ [% PROCESS page_header %] +
+
+
+
+
+ 
[% paste | html %]
+
+
+

Program Output:

+ 
[% eval | html %]
+
+
+
+ +
+
+
+
+ + + +[% END %]