[interchange-cvs] interchange - heins modified 13 files
interchange-core@interchange.redhat.com
interchange-core@interchange.redhat.com
Sat Oct 13 19:11:00 2001
User: heins
Date: 2001-10-13 23:10:24 GMT
Modified: . Tag: STABLE_4_8-branch MANIFEST Makefile.PL README
Modified: WHATSNEW
Modified: SPECS Tag: STABLE_4_8-branch interchange.spec
Modified: dist/foundation Tag: STABLE_4_8-branch catalog.cfg
Modified: dist/foundation/pages Tag: STABLE_4_8-branch login.html
Modified: new_account.html
Modified: dist/foundation/pages/ord Tag: STABLE_4_8-branch
Modified: checkout.html
Modified: lib/Vend Tag: STABLE_4_8-branch Config.pm Interpolate.pm
Modified: Parse.pm
Modified: scripts Tag: STABLE_4_8-branch interchange.PL
Log:
* Fairly sweeping changes to fix cross-site scripting vulnerablility.
* Don't allow < output from [value ...] or [cgi ....]. Provide
option to enable it explicitly if desired.
* Default foundation to "CookieLogin No".
* Check value of CookieLogin before presenting checkbox asking about
auto-login.
* Filter values when moved from CGI, but allow the setting of a
$Session->{restrict_html} which will filter tags to only certain
ones (can prevent <SCRIPT> but not <A HREF="javascript:....">.
Don't filter for Vend::admin.
* Add "Promiscuous" directive so that sites that are broken can
get back up quickly, albeit still with the vulnerability.
* Update version to 4.8.3 prior to release.
Revision Changes Path
No revision
No revision
2.17.2.5 +4 -0 interchange/MANIFEST
rev 2.17.2.5, prev_rev 2.17.2.4
Index: MANIFEST
===================================================================
RCS file: /anon_cvs/repository/interchange/MANIFEST,v
retrieving revision 2.17.2.4
retrieving revision 2.17.2.5
diff -u -r2.17.2.4 -r2.17.2.5
--- MANIFEST 2001/10/01 10:19:51 2.17.2.4
+++ MANIFEST 2001/10/13 23:10:22 2.17.2.5
@@ -449,6 +449,7 @@
dist/lib/UI/ichelp.txt
dist/lib/UI/icmenu.txt
dist/lib/UI/locales/README
+dist/lib/UI/locales/TODO
dist/lib/UI/locales/da_DK.cfg
dist/lib/UI/locales/de_DE.cfg
dist/lib/UI/locales/default.cfg
@@ -934,13 +935,16 @@
share/interchange/he_IL/A2.gif
share/interchange/he_IL/A3.gif
share/interchange/he_IL/A3_b.gif
+share/interchange/he_IL/B2.gif
share/interchange/he_IL/B2_b.gif
share/interchange/he_IL/B3.gif
share/interchange/he_IL/B3_b.gif
share/interchange/he_IL/B4.gif
share/interchange/he_IL/B4_b.gif
share/interchange/he_IL/B5.gif
+share/interchange/he_IL/B5_b.gif
share/interchange/he_IL/B6.gif
+share/interchange/he_IL/B6_b.gif
share/interchange/he_IL/B7.gif
share/interchange/he_IL/B7_b.gif
share/interchange/he_IL/B8.gif
2.9.2.4 +1 -1 interchange/Makefile.PL
rev 2.9.2.4, prev_rev 2.9.2.3
Index: Makefile.PL
===================================================================
RCS file: /anon_cvs/repository/interchange/Makefile.PL,v
retrieving revision 2.9.2.3
retrieving revision 2.9.2.4
diff -u -r2.9.2.3 -r2.9.2.4
--- Makefile.PL 2001/10/04 09:32:21 2.9.2.3
+++ Makefile.PL 2001/10/13 23:10:22 2.9.2.4
@@ -28,7 +28,7 @@
my @remove_old;
my $Lock_troubles;
-$VERSION = '4.8.2';
+$VERSION = '4.8.3';
# See if we have the CPAN module
2.4.2.2 +1 -1 interchange/README
rev 2.4.2.2, prev_rev 2.4.2.1
Index: README
===================================================================
RCS file: /anon_cvs/repository/interchange/README,v
retrieving revision 2.4.2.1
retrieving revision 2.4.2.2
diff -u -r2.4.2.1 -r2.4.2.2
--- README 2001/08/14 08:39:55 2.4.2.1
+++ README 2001/10/13 23:10:22 2.4.2.2
@@ -2,7 +2,7 @@
I N T E R C H A N G E
-Interchange 4.8.2
+Interchange 4.8.3
Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
2.6.2.5 +32 -4 interchange/WHATSNEW
rev 2.6.2.5, prev_rev 2.6.2.4
Index: WHATSNEW
===================================================================
RCS file: /anon_cvs/repository/interchange/WHATSNEW,v
retrieving revision 2.6.2.4
retrieving revision 2.6.2.5
diff -u -r2.6.2.4 -r2.6.2.5
--- WHATSNEW 2001/10/11 13:12:23 2.6.2.4
+++ WHATSNEW 2001/10/13 23:10:22 2.6.2.5
@@ -8,13 +8,41 @@
Core and usertags
-----------------
+
+* Some fairly major changes to limit exposure to the cross-site
+ JavaScript vulnerabilities described in:
+
+ http://www.cert.org/advisories/CA-2000-02.html
+
+ The vulnerability is only serious if you have "CookieLogin Yes"
+ in your catalog.cfg definition (as unfortunately was in foundation).
+
+ It is recommended that you either set CookieLogin to No, or at least
+ do
+
+ SaveExpire 8 hours
+
+ - Notably, [cgi ...] and [value ...] will not display < characters
+ unless you specifically enable it with the enable-html=1 option.
+
+ Normally this should cause no problems. If your site breaks
+ because of this update, you can temporarily re-enable this with:
+
+ Promiscuous Yes
+
+ in your catalog.cfg file.
+
+* New filter restrict_html. Called with:
+
+ [filter restrict_html.a.b.i.u.p.br]
+ <SCRIPT> malicious('Gotcha!') </SCRIPT>
+ [/filter]
+
+ which prevents the <SCRIPT> from executing.
+
* Make mv_more_alpha working in query tags.
* Allow [dump] of portion of session, for example [dump scratch].
- !!UNDOCUMENTED!!
-
-* New filter restrict_html.
- !!UNDOCUMENTED!!
I18N
--------
No revision
No revision
2.4.2.3 +1 -1 interchange/SPECS/interchange.spec
rev 2.4.2.3, prev_rev 2.4.2.2
Index: interchange.spec
===================================================================
RCS file: /anon_cvs/repository/interchange/SPECS/interchange.spec,v
retrieving revision 2.4.2.2
retrieving revision 2.4.2.3
diff -u -r2.4.2.2 -r2.4.2.3
--- interchange.spec 2001/09/19 19:10:44 2.4.2.2
+++ interchange.spec 2001/10/13 23:10:23 2.4.2.3
@@ -1,4 +1,4 @@
-%define ic_version 4.8.2
+%define ic_version 4.8.3
%define ic_rpm_release 1
%define ic_package_basename interchange
%define ic_user interch
No revision
No revision
2.3.2.1 +85 -84 interchange/dist/foundation/catalog.cfg
rev 2.3.2.1, prev_rev 2.3
Index: catalog.cfg
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/foundation/catalog.cfg,v
retrieving revision 2.3
retrieving revision 2.3.2.1
diff -u -r2.3 -r2.3.2.1
--- catalog.cfg 2001/08/10 00:29:04 2.3
+++ catalog.cfg 2001/10/13 23:10:23 2.3.2.1
@@ -166,8 +166,9 @@
UserDB affiliate time_field none
UserDB affiliate crypt 0
-# Set this to No if you don't want auto-login capability for users
-CookieLogin Yes
+# Set this to Yes if you want auto-login capability for users.
+# You must be careful about malicious JavaScripts in your embedded code.
+CookieLogin No
#==========================================================================#
@@ -208,22 +209,22 @@
## sure you remove it from the list of "transactions" tables.
Route log <<EOF
- empty 1
- encrypt 0
- increment 0
- report etc/log_transaction
- supplant 0
- track logs/log
+ empty 1
+ encrypt 0
+ increment 0
+ report etc/log_transaction
+ supplant 0
+ track logs/log
EOF
## This route places the order entry in the database when you are
## entering an order from the admin. See above.
Route log_entry <<EOF
- empty 1
- encrypt 0
- report etc/log_entry
- supplant 0
- track logs/log
+ empty 1
+ encrypt 0
+ report etc/log_entry
+ supplant 0
+ track logs/log
EOF
ifdef TRANSACTION_TABLES
@@ -235,32 +236,32 @@
## care (much) if it fails, so error_ok is set and failure will
## not cause the order to fail
Route copy_user <<EOF
- empty 1
- error_ok 1
- encrypt 0
- increment 0
- report etc/mail_receipt
- supplant 0
- track logs/log
+ empty 1
+ error_ok 1
+ encrypt 0
+ increment 0
+ report etc/mail_receipt
+ supplant 0
+ track logs/log
EOF
ParseVariables Yes
## This route emails the order to you unless email is set to "",
## and failsafe-logs the order report a couple of places
Route main <<EOF
- attach 0
- credit_card 1
- default 1
- email '__ORDERS_TO__'
- encrypt 0
- errors_to '__ORDERS_TO__'
- pgp_cc_key "__PGP_KEY__"
- pgp_key "__PGP_KEY__"
- receipt etc/receipt.html
- report etc/report
- supplant 1
- individual_track orders
- track logs/tracking.asc
+ attach 0
+ credit_card 1
+ default 1
+ email '__ORDERS_TO__'
+ encrypt 0
+ errors_to '__ORDERS_TO__'
+ pgp_cc_key "__PGP_KEY__"
+ pgp_key "__PGP_KEY__"
+ receipt etc/receipt.html
+ report etc/report
+ supplant 1
+ individual_track orders
+ track logs/tracking.asc
EOF
# Order routes can be maintained in a database
@@ -313,17 +314,17 @@
# Static page build settings.
NoCache <<EOF
- admin
- login
- account
- logout
- config
- multi
- ord/basket
- ord/checkout
- query
- reconfig
- special
+ admin
+ login
+ account
+ logout
+ config
+ multi
+ ord/basket
+ ord/checkout
+ query
+ reconfig
+ special
EOF
Static __CATALOG_STATIC__
@@ -348,60 +349,60 @@
UserTag history-scan addAttr
UserTag history-scan Routine <<EOR
my %var_exclude = ( qw/
- mv_credit_card_number 1
- mv_pc 1
- mv_session_id 1
+ mv_credit_card_number 1
+ mv_pc 1
+ mv_session_id 1
/);
sub {
- my ($find, $exclude, $default) = @_;
- my $ref = $Vend::Session->{History}
- or return $Tag->area($default || $Config->{SpecialPage}{catalog});
- my ($hist, $href, $cgi);
- $exclude = qr/$exclude/ if $exclude;
- for(my $i = $#$ref; $i >= 0; $i--) {
- #Log("checking $ref->[$i][0] for $exclude");
- next if $ref->[$i][0] eq 'expired';
- if ($exclude and $ref->[$i][0] =~ $exclude) {
- next;
- }
- if($find) {
- next unless $ref->[$i][0] =~ /$find/;
- }
- ($href, $cgi) = @{$ref->[$i]};
- last;
- }
- return $Tag->area($default || $Config->{SpecialPage}{catalog})
- if ! $href;
- my $form = '';
- for(grep !$var_exclude{$_}, keys %$cgi) {
- $form .= "\n$_=";
- $form .= join("\n$_=", split /\0/, $cgi->{$_});
- }
- return $Tag->area( { href => $href, form => $form} );
+ my ($find, $exclude, $default) = @_;
+ my $ref = $Vend::Session->{History}
+ or return $Tag->area($default || $Config->{SpecialPage}{catalog});
+ my ($hist, $href, $cgi);
+ $exclude = qr/$exclude/ if $exclude;
+ for(my $i = $#$ref; $i >= 0; $i--) {
+ #Log("checking $ref->[$i][0] for $exclude");
+ next if $ref->[$i][0] eq 'expired';
+ if ($exclude and $ref->[$i][0] =~ $exclude) {
+ next;
+ }
+ if($find) {
+ next unless $ref->[$i][0] =~ /$find/;
+ }
+ ($href, $cgi) = @{$ref->[$i]};
+ last;
+ }
+ return $Tag->area($default || $Config->{SpecialPage}{catalog})
+ if ! $href;
+ my $form = '';
+ for(grep !$var_exclude{$_}, keys %$cgi) {
+ $form .= "\n$_=";
+ $form .= join("\n$_=", split /\0/, $cgi->{$_});
+ }
+ return $Tag->area( { href => $href, form => $form} );
}
EOR
# Allow delivery of soft goods (downloadable files).
ActionMap deliver <<EOR
sub {
- my $deliverable = shift;
- $Scratch->{deliverable} = $CGI->{mv_arg};
- $CGI->{mv_nextpage} = 'deliver';
- if(! $Session->{username} and $CGI->{mv_username}) {
- $Tag->userdb('login');
- }
- return 1;
+ my $deliverable = shift;
+ $Scratch->{deliverable} = $CGI->{mv_arg};
+ $CGI->{mv_nextpage} = 'deliver';
+ if(! $Session->{username} and $CGI->{mv_username}) {
+ $Tag->userdb('login');
+ }
+ return 1;
}
EOR
# Allow customers to have their passwords emailed to them.
ActionMap get_password <<EOR
sub {
- $Config->{NoSearch} = '';
- $CGI->{mv_nextpage} = $CGI->{mv_search_page} = 'action/get_password';
- $CGI->{mv_todo} = 'search';
- $Tag->update('process');
- return 1;
+ $Config->{NoSearch} = '';
+ $CGI->{mv_nextpage} = $CGI->{mv_search_page} = 'action/get_password';
+ $CGI->{mv_todo} = 'search';
+ $Tag->update('process');
+ return 1;
}
EOR
No revision
No revision
2.0.2.1 +2 -0 interchange/dist/foundation/pages/login.html
rev 2.0.2.1, prev_rev 2.0
Index: login.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/foundation/pages/login.html,v
retrieving revision 2.0
retrieving revision 2.0.2.1
diff -u -r2.0 -r2.0.2.1
--- login.html 2001/07/18 02:21:14 2.0
+++ login.html 2001/10/13 23:10:23 2.0.2.1
@@ -74,6 +74,7 @@
<input type="submit" NAME="mv_click" value="New Account">
</td>
</tr>
+ [if config CookieLogin]
<tr>
<td align=right class="contentbar1">
<INPUT TYPE=hidden NAME=mv_cookie_password VALUE=0>
@@ -83,6 +84,7 @@
Log me in automatically (sets cookie)
</td>
</tr>
+ [/if]
</table>
</td>
</tr>
2.0.2.1 +2 -0 interchange/dist/foundation/pages/new_account.html
rev 2.0.2.1, prev_rev 2.0
Index: new_account.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/foundation/pages/new_account.html,v
retrieving revision 2.0
retrieving revision 2.0.2.1
diff -u -r2.0 -r2.0.2.1
--- new_account.html 2001/07/18 02:21:14 2.0
+++ new_account.html 2001/10/13 23:10:23 2.0.2.1
@@ -94,12 +94,14 @@
<INPUT TYPE=submit VALUE="Create Account">
</td>
</tr>
+ [if config CookieLogin]
<tr class="contentbar1">
<td align="right">
<INPUT TYPE=checkbox NAME=mv_cookie_password VALUE=1>
</td>
<td>Log me in automatically (sets cookie)</td>
</tr>
+ [/if]
<tr class="contentbar1">
<td align="right" colspan="2"> </td>
</tr>
No revision
No revision
2.0.2.2 +2 -0 interchange/dist/foundation/pages/ord/checkout.html
rev 2.0.2.2, prev_rev 2.0.2.1
Index: checkout.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/foundation/pages/ord/checkout.html,v
retrieving revision 2.0.2.1
retrieving revision 2.0.2.2
diff -u -r2.0.2.1 -r2.0.2.2
--- checkout.html 2001/08/20 15:47:15 2.0.2.1
+++ checkout.html 2001/10/13 23:10:23 2.0.2.2
@@ -94,12 +94,14 @@
<input type="submit" value="Log In">
</td>
</tr>
+ [if config CookieLogin]
<tr>
<td align="right">
<INPUT TYPE=hidden NAME=mv_cookie_password VALUE=0><INPUT TYPE=checkbox NAME=mv_cookie_password VALUE=1>
</td>
<td>Log me in automatically (sets cookie)</td>
</tr>
+ [/if]
</table>
</td>
</tr>
No revision
No revision
2.2.2.3 +3 -2 interchange/lib/Vend/Config.pm
rev 2.2.2.3, prev_rev 2.2.2.2
Index: Config.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Config.pm,v
retrieving revision 2.2.2.2
retrieving revision 2.2.2.3
diff -u -r2.2.2.2 -r2.2.2.3
--- Config.pm 2001/10/08 15:11:39 2.2.2.2
+++ Config.pm 2001/10/13 23:10:23 2.2.2.3
@@ -1,6 +1,6 @@
# Vend::Config - Configure Interchange
#
-# $Id: Config.pm,v 2.2.2.2 2001/10/08 15:11:39 racke Exp $
+# $Id: Config.pm,v 2.2.2.3 2001/10/13 23:10:23 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -95,7 +95,7 @@
use Vend::Parse;
use Vend::Util;
-$VERSION = substr(q$Revision: 2.2.2.2 $, 10);
+$VERSION = substr(q$Revision: 2.2.2.3 $, 10);
my %CDname;
@@ -450,6 +450,7 @@
['ExtraSecure', 'yesno', 'No'],
['FallbackIP', 'yesno', 'No'],
['WideOpen', 'yesno', 'No'],
+ ['Promiscuous', 'yesno', 'No'],
['Cookies', 'yesno', 'Yes'],
['CookieName', undef, ''],
['CookiePattern', 'regex', '[-\w:.]+'],
2.9.2.5 +12 -4 interchange/lib/Vend/Interpolate.pm
rev 2.9.2.5, prev_rev 2.9.2.4
Index: Interpolate.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.9.2.4
retrieving revision 2.9.2.5
diff -u -r2.9.2.4 -r2.9.2.5
--- Interpolate.pm 2001/10/11 00:23:38 2.9.2.4
+++ Interpolate.pm 2001/10/13 23:10:23 2.9.2.5
@@ -1,6 +1,6 @@
# Vend::Interpolate - Interpret Interchange tags
#
-# $Id: Interpolate.pm,v 2.9.2.4 2001/10/11 00:23:38 mheins Exp $
+# $Id: Interpolate.pm,v 2.9.2.5 2001/10/13 23:10:23 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -27,7 +27,7 @@
require Exporter;
@ISA = qw(Exporter);
-$VERSION = substr(q$Revision: 2.9.2.4 $, 10);
+$VERSION = substr(q$Revision: 2.9.2.5 $, 10);
@EXPORT = qw (
@@ -2975,8 +2975,12 @@
$value = filter_value($opt->{filter}, $value, $var);
$CGI::values{$var} = $value unless $opt->{keep};
}
- return $value unless $opt->{hide};
- return '';
+
+ return '' if $opt->{hide};
+
+ $value =~ s/</</g
+ unless $opt->{enable_html};
+ return $value;
}
# Returns the text of a user entered field named VAR.
@@ -2999,6 +3003,8 @@
}
my $val = $CGI::values{$var} || $::Values->{$var} || return undef;
+ $val =~ s/</</g unless $opt->{enable_html};
+ $val =~ s/\[/[/g unless $opt->{enable_itl};
if($opt->{file_contents}) {
return '' if ! defined $CGI::file{$var};
@@ -3371,6 +3377,8 @@
$::Scratch->{$var} = $value if $opt->{scratch};
return '' if $opt->{hide};
return $opt->{default} if ! $value and defined $opt->{default};
+ $value =~ s/</</g
+ unless $opt->{enable_html};
return $value;
}
2.0.2.3 +5 -2 interchange/lib/Vend/Parse.pm
rev 2.0.2.3, prev_rev 2.0.2.2
Index: Parse.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Parse.pm,v
retrieving revision 2.0.2.2
retrieving revision 2.0.2.3
diff -u -r2.0.2.2 -r2.0.2.3
--- Parse.pm 2001/10/06 06:20:08 2.0.2.2
+++ Parse.pm 2001/10/13 23:10:23 2.0.2.3
@@ -1,6 +1,6 @@
# Vend::Parse - Parse Interchange tags
#
-# $Id: Parse.pm,v 2.0.2.2 2001/10/06 06:20:08 mheins Exp $
+# $Id: Parse.pm,v 2.0.2.3 2001/10/13 23:10:23 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -35,7 +35,7 @@
@ISA = qw(Exporter Vend::Parser);
-$VERSION = substr(q$Revision: 2.0.2.2 $, 10);
+$VERSION = substr(q$Revision: 2.0.2.3 $, 10);
@EXPORT = ();
@EXPORT_OK = qw(find_matching_end);
@@ -241,6 +241,7 @@
assign 1
banner 1
catch 1
+ cgi 1
charge 1
checked 1
counter 1
@@ -1205,6 +1206,7 @@
return 1;
}
+ $attr->{enable_html} = 1 if $Vend::Cfg->{Promiscuous};
$attr->{'decode'} = 1 unless defined $attr->{'decode'};
$attr->{'reparse'} = 1 unless defined $NoReparse{$tag}
|| defined $attr->{'reparse'};
@@ -1508,6 +1510,7 @@
$self->{INVALID} += $p->{INVALID};
}
+ $attr->{enable_html} = 1 if $Vend::Cfg->{Promiscuous};
$attr->{'reparse'} = 1
unless (defined $NoReparse{$tag} || defined $attr->{'reparse'});
No revision
No revision
2.7.2.3 +44 -9 interchange/scripts/interchange.PL
rev 2.7.2.3, prev_rev 2.7.2.2
Index: interchange.PL
===================================================================
RCS file: /anon_cvs/repository/interchange/scripts/interchange.PL,v
retrieving revision 2.7.2.2
retrieving revision 2.7.2.3
diff -u -r2.7.2.2 -r2.7.2.3
--- interchange.PL 2001/09/04 13:25:17 2.7.2.2
+++ interchange.PL 2001/10/13 23:10:24 2.7.2.3
@@ -48,9 +48,9 @@
#!/usr/bin/perl
##!~_~perlpath~_~
#
-# Interchange version 4.8.2
+# Interchange version 4.8.3
#
-# $Id: interchange.PL,v 2.7.2.2 2001/09/04 13:25:17 mheins Exp $
+# $Id: interchange.PL,v 2.7.2.3 2001/10/13 23:10:24 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -166,7 +166,7 @@
require Exporter;
BEGIN {
- $VERSION = '4.8.2';
+ $VERSION = '4.8.3';
}
use Fcntl;
@@ -644,7 +644,7 @@
while (($key, $value) = each %CGI::values) {
next unless defined $data{$key};
- $count = (@{$data{$key}} = split /\0/, $value);
+ $count = (@{$data{$key}} = split /\0/, $value, -1);
$max = $count, $maxname = $key if $count > $max;
$min = $count, $minname = $key if $count < $min;
}
@@ -845,6 +845,11 @@
push(@v, $value);
}
+ if(! length($select_key) ) {
+ next if defined $CGI::values{mv_update_empty_key}
+ and ! $CGI::values{mv_update_empty_key};
+ }
+
if($function eq 'delete') {
$base_db->delete_record($select_key);
}
@@ -1054,13 +1059,43 @@
) = encrypt_standard_cc(\%CGI::values);
}
- my ($key, $value);
- while (($key, $value) = each %CGI::values) {
+ my $restrict;
+ if($restrict = $Vend::Session->{restrict_html} and ! ref $restrict) {
+ $restrict = [ map { lc $_ } split /\s+/, $restrict ];
+ $Vend::Session->{restrict_html} = $restrict;
+ }
+
+ while (my ($key, $value) = each %CGI::values) {
+ # values explicly ignored in configuration
next if defined $Ignore{$key};
- next if defined $Vend::Cfg->{FormIgnore}->{$key};
- next if ($key =~ m/^quantity\d+$/);
+ next if defined $Vend::Cfg->{FormIgnore}{$key};
+
+#LEGACY
# We add any checkbox ordered items, but don't update --
# we don't want to order them twice
+ next if ($key =~ m/^quantity\d+$/);
+#END LEGACY
+
+ # Admins should know what they are doing
+ if($Vend::admin) {
+ $::Values->{$key} = $value;
+ next;
+ }
+ elsif ($restrict and $value =~ /</) {
+ # Allow designer to allow only certain HTML tags from trusted users
+ # Will go away when current session ends...
+ # [ script start character handled in [value ...] ITL tag
+ $value = Vend::Interpolate::filter_value(
+ 'restrict_html',
+ $value,
+ $key,
+ @$restrict,
+ );
+ next;
+ }
+ $value =~ tr/<[//d;
+ $value =~ s/<//ig;
+ $value =~ s/[//g;
$::Values->{$key} = $value;
}
}
@@ -2329,7 +2364,7 @@
=head1 VERSION
-4.8.2
+4.8.3
=head1 DESCRIPTION