[interchange-cvs] interchange - heins modified 9 files
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Fri Jul 4 15:53:40 UTC 2008
User: heins
Date: 2008-07-04 15:53:39 GMT
Modified: code/SystemTag Tag: STABLE_5_6-branch value.coretag
Modified: dist/standard/include/checkout Tag: STABLE_5_6-branch
Modified: billing_address new_browser_payment
Modified: new_browser_payment_multi old_browser_payment
Modified: old_browser_payment_multi payment_select
Modified: payment_select_multi shipping_address
Log:
* We are vulnerable to cross-site scripting problems any time there is a
<input value="[value foo]"> call. You can get around this, of course,
with <input value="[value name=foo keep=1 filter=encode_entities"]">
instead. That is a bit of a mess, though, so I added an alias
for that called "evalue".
You call it with [evalue address1], which is identical to
[value keep=1 filter="encode_entities" name=address1].
* Modified include/checkout forms to use this. There are undoubtedly many
other places it should be put in. But until this is evaluated properly
I don't want to do it all over the place. You can do so with this
one liner, at least pretty reliably:
perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g'
I think we have gotten rid of all VALUE= uppercase kind of things,
but if not we should now.
Revision Changes Path
No revision
No revision
1.6.2.1 interchange/code/SystemTag/value.coretag
rev 1.6.2.1, prev_rev 1.6
Index: value.coretag
===================================================================
RCS file: /var/cvs/interchange/code/SystemTag/value.coretag,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- value.coretag 30 Mar 2007 23:40:49 -0000 1.6
+++ value.coretag 4 Jul 2008 15:53:39 -0000 1.6.2.1
@@ -5,10 +5,11 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. See the LICENSE file for details.
#
-# $Id: value.coretag,v 1.6 2007-03-30 23:40:49 pajamian Exp $
+# $Id: value.coretag,v 1.6.2.1 2008-07-04 15:53:39 mheins Exp $
UserTag value Order name
UserTag value addAttr
UserTag value PosNumber 1
-UserTag value Version $Revision: 1.6 $
+UserTag value Version $Revision: 1.6.2.1 $
UserTag value MapRoutine Vend::Interpolate::tag_value
+UserTag evalue Alias value keep=1 filter="encode_entities" name=
No revision
No revision
1.4.2.1 interchange/dist/standard/include/checkout/billing_address
rev 1.4.2.1, prev_rev 1.4
Index: billing_address
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/billing_address,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- billing_address 2 Dec 2005 19:23:23 -0000 1.4
+++ billing_address 4 Jul 2008 15:53:39 -0000 1.4.2.1
@@ -63,7 +63,7 @@
</td>
<td align="left" class="contentbar1">
<br>
- <input type="text" name="b_fname" value="[value b_fname]" size="20" maxlength="20">
+ <input type="text" name="b_fname" value="[evalue b_fname]" size="20" maxlength="20">
</td>
<td align="right" class="contentbar1">
<br>
@@ -71,7 +71,7 @@
</td>
<td align="left" class="contentbar1">
<br>
- <input type="text" name="b_lname" value="[value b_lname]" size="20">
+ <input type="text" name="b_lname" value="[evalue b_lname]" size="20">
</td>
</tr>
<tr>
@@ -79,7 +79,7 @@
<b>[L]Company[/L]</b>
</td>
<td align="left" class="contentbar1" colspan="3">
- <input type="text" name="b_company" value="[value b_company]" size="20" maxlength="44">
+ <input type="text" name="b_company" value="[evalue b_company]" size="20" maxlength="44">
</td>
</tr>
<tr>
@@ -87,13 +87,13 @@
<b>[L]Address[/L]</b>
</td>
<td align="left" colspan="3" class="contentbar1">
- <input type="text" name="b_address1" value="[value b_address1]" size=40 maxlength="64">
+ <input type="text" name="b_address1" value="[evalue b_address1]" size=40 maxlength="64">
</td>
</tr>
<tr>
<td class="contentbar1"> </td>
<td align="left" colspan="3" class="contentbar1">
- <input type="text" name="b_address2" value="[value b_address2]" size=40 maxlength="64">
+ <input type="text" name="b_address2" value="[evalue b_address2]" size=40 maxlength="64">
</td>
</tr>
<tr>
@@ -101,11 +101,11 @@
<b>[L]City[/L]</b>
</td>
<td class="contentbar1">
- <input type="text" name="b_city" value="[value b_city]" size="20">
+ <input type="text" name="b_city" value="[evalue b_city]" size="20">
</td>
<td align="right" class="contentbar1"><b>[L]State/Province[/L]</b></td>
<td class="contentbar1">
- [display name=b_state type=state_select value="[value b_state]"]
+ [display name=b_state type=state_select value="[evalue b_state]"]
</td>
</tr>
<tr>
@@ -113,7 +113,7 @@
<b>[L]Zip/Postal Code[/L]</b>
</td>
<td class="contentbar1" colspan="3">
- <input type="text" name="b_zip" value="[value b_zip]" size="10" maxlength="10">
+ <input type="text" name="b_zip" value="[evalue b_zip]" size="10" maxlength="10">
</td>
</tr>
<tr>
@@ -121,7 +121,7 @@
<b>[L]Country[/L]</b>
</td>
<td class="contentbar1" colspan="3">
- [display name=b_country type=country_select value="[value b_country]"]
+ [display name=b_country type=country_select value="[evalue b_country]"]
</td>
</tr>
<tr>
1.7.2.1 interchange/dist/standard/include/checkout/new_browser_payment
rev 1.7.2.1, prev_rev 1.7
Index: new_browser_payment
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/new_browser_payment,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -r1.7 -r1.7.2.1
--- new_browser_payment 1 Sep 2006 08:04:55 -0000 1.7
+++ new_browser_payment 4 Jul 2008 15:53:39 -0000 1.7.2.1
@@ -307,7 +307,7 @@
[error name=check_account std_label="[L]Account Number[/L]" required=1]
</td>
<td colspan="3 align="left" class="contentbar1">
- <input type="text" name="check_account" size="22" value="[value check_account]">
+ <input type="text" name="check_account" size="22" value="[evalue check_account]">
</td>
</tr>
<tr>
@@ -316,7 +316,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
- <b><input type="text" name="check_routing" size="22" value="[value check_routing]"></b>
+ <b><input type="text" name="check_routing" size="22" value="[evalue check_routing]"></b>
</td>
</tr>
<tr>
@@ -325,7 +325,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
<b>
- <input type="text" name="check_number" size="22" value="[value check_number]">
+ <input type="text" name="check_number" size="22" value="[evalue check_number]">
</b>
</td>
</tr>
@@ -336,7 +336,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
<b>
- <input type="text" name="check_bank_phone" size="22" value="[value check_bank_phone]">
+ <input type="text" name="check_bank_phone" size="22" value="[evalue check_bank_phone]">
</b>
</td>
</tr>
@@ -374,7 +374,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
<b>
- <input name="po_number" value="[value po_number]" size="14">
+ <input name="po_number" value="[evalue po_number]" size="14">
</b>
</td>
</tr>
1.6.2.1 interchange/dist/standard/include/checkout/new_browser_payment_multi
rev 1.6.2.1, prev_rev 1.6
Index: new_browser_payment_multi
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/new_browser_payment_multi,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- new_browser_payment_multi 1 Sep 2006 08:04:55 -0000 1.6
+++ new_browser_payment_multi 4 Jul 2008 15:53:39 -0000 1.6.2.1
@@ -306,7 +306,7 @@
[error name=check_account std_label="[L]Account Number[/L]" required=1]
</td>
<td colspan=3 align=left>
- <input type=text name=check_account size=22 value="[value check_account]">
+ <input type=text name=check_account size=22 value="[evalue check_account]">
</td>
</tr>
<tr>
@@ -315,7 +315,7 @@
</td>
<td align="left" colspan="3">
- <b><input type=text name=check_routing size=22 value="[value check_routing]"></b>
+ <b><input type=text name=check_routing size=22 value="[evalue check_routing]"></b>
</td>
</tr>
<tr>
@@ -324,7 +324,7 @@
</td>
<td align="left" colspan="3">
<b>
- <input type=text name=check_number size=22 value="[value check_number]">
+ <input type=text name=check_number size=22 value="[evalue check_number]">
</b>
</td>
</tr>
@@ -335,7 +335,7 @@
</td>
<td align="left" colspan="3">
<b>
- <input type=text name=check_bank_phone size=22 value="[value check_bank_phone]">
+ <input type=text name=check_bank_phone size=22 value="[evalue check_bank_phone]">
</b>
</td>
</tr>
@@ -372,7 +372,7 @@
</td>
<td align=left colspan=3>
<b>
- <input name=po_number value="[value po_number]" size=14>
+ <input name=po_number value="[evalue po_number]" size=14>
</b>
</td>
</tr>
1.6.2.1 interchange/dist/standard/include/checkout/old_browser_payment
rev 1.6.2.1, prev_rev 1.6
Index: old_browser_payment
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/old_browser_payment,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- old_browser_payment 1 Sep 2006 08:04:55 -0000 1.6
+++ old_browser_payment 4 Jul 2008 15:53:39 -0000 1.6.2.1
@@ -154,7 +154,7 @@
</td>
<td colspan="3 align="left" class="contentbar1">
<b>
- <input type=text name=check_account size=22 value="[value check_account]">
+ <input type=text name=check_account size=22 value="[evalue check_account]">
</b>
</td>
</tr>
@@ -164,7 +164,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
- <b><input type=text name=check_routing size=22 value="[value check_routing]"></b>
+ <b><input type=text name=check_routing size=22 value="[evalue check_routing]"></b>
</td>
</tr>
<tr>
@@ -173,7 +173,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
<b>
- <input type=text name=check_number size=22 value="[value check_number]">
+ <input type=text name=check_number size=22 value="[evalue check_number]">
</b>
</td>
</tr>
@@ -184,7 +184,7 @@
</td>
<td align="left" colspan="3" class="contentbar1">
<b>
- <input type=text name=check_bank_phone size=22 value="[value check_bank_phone]">
+ <input type=text name=check_bank_phone size=22 value="[evalue check_bank_phone]">
</b>
</td>
</tr>
@@ -215,7 +215,7 @@
</td>
<td align=left colspan=3 class="contentbar1">
<b>
- <input name=po_number value="[value po_number]" size=14>
+ <input name=po_number value="[evalue po_number]" size=14>
</b>
</td>
</tr>
1.5.2.1 interchange/dist/standard/include/checkout/old_browser_payment_multi
rev 1.5.2.1, prev_rev 1.5
Index: old_browser_payment_multi
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/old_browser_payment_multi,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
--- old_browser_payment_multi 1 Sep 2006 08:04:55 -0000 1.5
+++ old_browser_payment_multi 4 Jul 2008 15:53:39 -0000 1.5.2.1
@@ -154,7 +154,7 @@
</td>
<td colspan="3 align="left">
<b>
- <input type=text name=check_account size=22 value="[value check_account]">
+ <input type=text name=check_account size=22 value="[evalue check_account]">
</b>
</td>
</tr>
@@ -164,7 +164,7 @@
</td>
<td align="left" colspan="3">
- <b><input type=text name=check_routing size=22 value="[value check_routing]"></b>
+ <b><input type=text name=check_routing size=22 value="[evalue check_routing]"></b>
</td>
</tr>
<tr>
@@ -173,7 +173,7 @@
</td>
<td align="left" colspan="3">
<b>
- <input type=text name=check_number size=22 value="[value check_number]">
+ <input type=text name=check_number size=22 value="[evalue check_number]">
</b>
</td>
</tr>
@@ -184,7 +184,7 @@
</td>
<td align="left" colspan="3">
<b>
- <input type=text name=check_bank_phone size=22 value="[value check_bank_phone]">
+ <input type=text name=check_bank_phone size=22 value="[evalue check_bank_phone]">
</b>
</td>
</tr>
@@ -214,7 +214,7 @@
</td>
<td align=left colspan=3>
<b>
- <input name=po_number value="[value po_number]" size=14>
+ <input name=po_number value="[evalue po_number]" size=14>
</b>
</td>
</tr>
1.2.4.1 interchange/dist/standard/include/checkout/payment_select
rev 1.2.4.1, prev_rev 1.2
Index: payment_select
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/payment_select,v
retrieving revision 1.2
retrieving revision 1.2.4.1
diff -u -r1.2 -r1.2.4.1
--- payment_select 26 Jan 2005 17:51:13 -0000 1.2
+++ payment_select 4 Jul 2008 15:53:39 -0000 1.2.4.1
@@ -102,7 +102,7 @@
[/if]
[if variable PO_ALWAYS]
<b>[L]P.O. Number[/L]:</b>
- <input type=text name=po_number value="[value po_number]">
+ <input type=text name=po_number value="[evalue po_number]">
[/if]
[if scratch pay_cert_code]
1.1.1.1.4.1 interchange/dist/standard/include/checkout/payment_select_multi
rev 1.1.1.1.4.1, prev_rev 1.1.1.1
Index: payment_select_multi
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/payment_select_multi,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.4.1
diff -u -r1.1.1.1 -r1.1.1.1.4.1
--- payment_select_multi 25 Apr 2004 17:07:49 -0000 1.1.1.1
+++ payment_select_multi 4 Jul 2008 15:53:39 -0000 1.1.1.1.4.1
@@ -98,7 +98,7 @@
[/if]
[if variable PO_ALWAYS]
<b>[L]P.O. Number[/L]:</b>
- <input type=text name=po_number value="[value po_number]">
+ <input type=text name=po_number value="[evalue po_number]">
[/if]
[if scratch pay_cert_code]
1.5.2.1 interchange/dist/standard/include/checkout/shipping_address
rev 1.5.2.1, prev_rev 1.5
Index: shipping_address
===================================================================
RCS file: /var/cvs/interchange/dist/standard/include/checkout/shipping_address,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
--- shipping_address 4 Mar 2008 04:24:37 -0000 1.5
+++ shipping_address 4 Jul 2008 15:53:39 -0000 1.5.2.1
@@ -18,30 +18,30 @@
[error name=fname std_label="[L]First Name[/L]" required=1]
</td>
<td align=left class="contentbar1">
- <input type=text name=fname value="[value fname]" size="20" maxlength="20">
+ <input type=text name=fname value="[evalue fname]" size="20" maxlength="20">
</td>
<td align="right" class="contentbar1">[error name=lname std_label="[L]Last Name[/L]" required=1]</td>
- <td align="left" class="contentbar1"><input type=text name=lname value="[value lname]" size="20"></td>
+ <td align="left" class="contentbar1"><input type=text name=lname value="[evalue lname]" size="20"></td>
</tr>
<tr>
<td align="right" class="contentbar1">
[error name=company std_label="[L]Company[/L]" required="[scratch dealer]"]
</td>
<td align="left" class="contentbar1" colspan=3>
- <input type=text name=company value="[value company]" size="20" maxlength="40">
+ <input type=text name=company value="[evalue company]" size="20" maxlength="40">
</td>
</tr>
<tr>
<td align="right" class="contentbar1">[error name=address1 std_label="[L]Address[/L]" required=1]
</td>
<td align="left" colspan=3 class="contentbar1">
- <input type=text name=address1 value="[value address1]" size="40" maxlength="64">
+ <input type=text name=address1 value="[evalue address1]" size="40" maxlength="64">
</td>
</tr>
<tr>
<td class="contentbar1"> </td>
<td class="contentbar1" align="left" colspan=3>
- <input type=text name=address2 value="[value address2]" size="40" maxlength="64">
+ <input type=text name=address2 value="[evalue address2]" size="40" maxlength="64">
</td>
</tr>
<tr class="contentbar1">
@@ -49,7 +49,7 @@
[error name=city std_label="[L]City[/L]" required=1]
</td>
<td class="contentbar1" colspan=3>
- <input type=text name=city value="[value city]" size="20" maxlength="20">
+ <input type=text name=city value="[evalue city]" size="20" maxlength="20">
</td>
</tr>
<tr>
@@ -57,7 +57,7 @@
[error name=state std_label="[L]State/Province[/L]" required=1]
</td>
<td align="left" class="contentbar1" colspan=3>
- [display name=state type=state_select value="[value state]"]
+ [display name=state type=state_select value="[evalue state]"]
</td>
</tr>
<tr>
@@ -65,7 +65,7 @@
[error name=zip std_label="[L]Zip/Postal Code[/L]" required=1]
</td>
<td class="contentbar1" colspan=3>
- <input type=text name=zip value="[value zip]" size="10" maxlength="10">
+ <input type=text name=zip value="[evalue zip]" size="10" maxlength="10">
</td>
</tr>
<tr>
@@ -73,7 +73,7 @@
[error name=email std_label="[L]Email Address[/L]" required=1]
</td>
<td class="contentbar1" colspan=3>
- <input type=text name=email value="[value email]" size="30">
+ <input type=text name=email value="[evalue email]" size="30">
</td>
</tr>
<tr>
@@ -81,7 +81,7 @@
[L]Country[/L]
</td>
<td colspan="3" class="contentbar1">
- [display name=country type=country_select value="[value country]"]
+ [display name=country type=country_select value="[evalue country]"]
</td>
</tr>
<tr>
@@ -89,13 +89,13 @@
[error name=phone_day std_label="[L]Daytime Phone[/L]" required=1]
</td>
<td class="contentbar1">
- <input type=text name=phone_day value="[value phone_day]" size="12" maxlength="20">
+ <input type=text name=phone_day value="[evalue phone_day]" size="12" maxlength="20">
</td>
<td align="right" class="contentbar1">
[error name=phone_night std_label="[L]Evening Phone[/L]"]
</td>
<td align="left" class="contentbar1">
- <input type=text name=phone_night value="[value phone_night]" size="12" maxlength="20">
+ <input type=text name=phone_night value="[evalue phone_night]" size="12" maxlength="20">
</td>
</tr>
[if session ship_message]
More information about the interchange-cvs
mailing list