Fossil SCM
Enhance codecheck1.c to detect cases where style_header() is called with arguments that are not easily proven to be HTML-free. Fix multiple calls to style_header() to prove they are always HTML-free.
Commit
2da41072ffefda46af03195e4098099d0b3860cc8ccc567bbbd024e80a24bf6f
Parent
0150eda979ee867…
17 files changed
+1
-1
+2
-2
+1
-1
+8
-8
+1
-1
+2
-2
+2
-2
+2
-2
+1
-1
+1
-1
+1
-1
+4
-2
+1
-1
+4
-4
+1
-1
+2
-2
+30
-3
+1
-1
| --- src/branch.c | ||
| +++ src/branch.c | ||
| @@ -944,11 +944,11 @@ | ||
| 944 | 944 | } |
| 945 | 945 | if( showAll ) brFlags = BRL_BOTH; |
| 946 | 946 | if( showClosed ) brFlags = BRL_CLOSED_ONLY; |
| 947 | 947 | |
| 948 | 948 | style_set_current_feature("branch"); |
| 949 | - style_header("%s", showClosed ? "Closed Branches" : | |
| 949 | + style_header("%h", showClosed ? "Closed Branches" : | |
| 950 | 950 | showAll ? "All Branches" : "Open Branches"); |
| 951 | 951 | style_submenu_element("Timeline", "brtimeline"); |
| 952 | 952 | if( showClosed ){ |
| 953 | 953 | style_submenu_element("All", "brlist?all"); |
| 954 | 954 | style_submenu_element("Open", "brlist?open"); |
| 955 | 955 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -944,11 +944,11 @@ | |
| 944 | } |
| 945 | if( showAll ) brFlags = BRL_BOTH; |
| 946 | if( showClosed ) brFlags = BRL_CLOSED_ONLY; |
| 947 | |
| 948 | style_set_current_feature("branch"); |
| 949 | style_header("%s", showClosed ? "Closed Branches" : |
| 950 | showAll ? "All Branches" : "Open Branches"); |
| 951 | style_submenu_element("Timeline", "brtimeline"); |
| 952 | if( showClosed ){ |
| 953 | style_submenu_element("All", "brlist?all"); |
| 954 | style_submenu_element("Open", "brlist?open"); |
| 955 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -944,11 +944,11 @@ | |
| 944 | } |
| 945 | if( showAll ) brFlags = BRL_BOTH; |
| 946 | if( showClosed ) brFlags = BRL_CLOSED_ONLY; |
| 947 | |
| 948 | style_set_current_feature("branch"); |
| 949 | style_header("%h", showClosed ? "Closed Branches" : |
| 950 | showAll ? "All Branches" : "Open Branches"); |
| 951 | style_submenu_element("Timeline", "brtimeline"); |
| 952 | if( showClosed ){ |
| 953 | style_submenu_element("All", "brlist?all"); |
| 954 | style_submenu_element("Open", "brlist?open"); |
| 955 |
+2
-2
| --- src/browse.c | ||
| +++ src/browse.c | ||
| @@ -232,11 +232,11 @@ | ||
| 232 | 232 | zHeader = mprintf("%z matching \"%s\"", zHeader, zRegexp); |
| 233 | 233 | zMatch = mprintf(" matching \"%h\"", zRegexp); |
| 234 | 234 | }else{ |
| 235 | 235 | zMatch = ""; |
| 236 | 236 | } |
| 237 | - style_header("%s", zHeader); | |
| 237 | + style_header("%h", zHeader); | |
| 238 | 238 | fossil_free(zHeader); |
| 239 | 239 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 240 | 240 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 241 | 241 | pathelementFunc, 0, 0); |
| 242 | 242 | url_initialize(&sURI, "dir"); |
| @@ -795,11 +795,11 @@ | ||
| 795 | 795 | zHeader = mprintf("Files in %s/ of %s", zD, zCI); |
| 796 | 796 | }else{ |
| 797 | 797 | zHeader = mprintf("All Files in %s/", zD); |
| 798 | 798 | } |
| 799 | 799 | } |
| 800 | - style_header("%s", zHeader); | |
| 800 | + style_header("%h", zHeader); | |
| 801 | 801 | fossil_free(zHeader); |
| 802 | 802 | |
| 803 | 803 | /* Compute the title of the page */ |
| 804 | 804 | blob_zero(&dirname); |
| 805 | 805 | if( zD ){ |
| 806 | 806 |
| --- src/browse.c | |
| +++ src/browse.c | |
| @@ -232,11 +232,11 @@ | |
| 232 | zHeader = mprintf("%z matching \"%s\"", zHeader, zRegexp); |
| 233 | zMatch = mprintf(" matching \"%h\"", zRegexp); |
| 234 | }else{ |
| 235 | zMatch = ""; |
| 236 | } |
| 237 | style_header("%s", zHeader); |
| 238 | fossil_free(zHeader); |
| 239 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 240 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 241 | pathelementFunc, 0, 0); |
| 242 | url_initialize(&sURI, "dir"); |
| @@ -795,11 +795,11 @@ | |
| 795 | zHeader = mprintf("Files in %s/ of %s", zD, zCI); |
| 796 | }else{ |
| 797 | zHeader = mprintf("All Files in %s/", zD); |
| 798 | } |
| 799 | } |
| 800 | style_header("%s", zHeader); |
| 801 | fossil_free(zHeader); |
| 802 | |
| 803 | /* Compute the title of the page */ |
| 804 | blob_zero(&dirname); |
| 805 | if( zD ){ |
| 806 |
| --- src/browse.c | |
| +++ src/browse.c | |
| @@ -232,11 +232,11 @@ | |
| 232 | zHeader = mprintf("%z matching \"%s\"", zHeader, zRegexp); |
| 233 | zMatch = mprintf(" matching \"%h\"", zRegexp); |
| 234 | }else{ |
| 235 | zMatch = ""; |
| 236 | } |
| 237 | style_header("%h", zHeader); |
| 238 | fossil_free(zHeader); |
| 239 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 240 | sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0, |
| 241 | pathelementFunc, 0, 0); |
| 242 | url_initialize(&sURI, "dir"); |
| @@ -795,11 +795,11 @@ | |
| 795 | zHeader = mprintf("Files in %s/ of %s", zD, zCI); |
| 796 | }else{ |
| 797 | zHeader = mprintf("All Files in %s/", zD); |
| 798 | } |
| 799 | } |
| 800 | style_header("%h", zHeader); |
| 801 | fossil_free(zHeader); |
| 802 | |
| 803 | /* Compute the title of the page */ |
| 804 | blob_zero(&dirname); |
| 805 | if( zD ){ |
| 806 |
+1
-1
| --- src/dispatch.c | ||
| +++ src/dispatch.c | ||
| @@ -838,11 +838,11 @@ | ||
| 838 | 838 | if( zCmd && *zCmd ){ |
| 839 | 839 | int rc; |
| 840 | 840 | const CmdOrPage *pCmd = 0; |
| 841 | 841 | |
| 842 | 842 | style_set_current_feature("tkt"); |
| 843 | - style_header("Help: %s", zCmd); | |
| 843 | + style_header("Help: %h", zCmd); | |
| 844 | 844 | |
| 845 | 845 | style_submenu_element("Command-List", "%R/help"); |
| 846 | 846 | if( search_restrict(SRCH_HELP)!=0 ){ |
| 847 | 847 | style_submenu_element("Search","%R/search?y=h"); |
| 848 | 848 | } |
| 849 | 849 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -838,11 +838,11 @@ | |
| 838 | if( zCmd && *zCmd ){ |
| 839 | int rc; |
| 840 | const CmdOrPage *pCmd = 0; |
| 841 | |
| 842 | style_set_current_feature("tkt"); |
| 843 | style_header("Help: %s", zCmd); |
| 844 | |
| 845 | style_submenu_element("Command-List", "%R/help"); |
| 846 | if( search_restrict(SRCH_HELP)!=0 ){ |
| 847 | style_submenu_element("Search","%R/search?y=h"); |
| 848 | } |
| 849 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -838,11 +838,11 @@ | |
| 838 | if( zCmd && *zCmd ){ |
| 839 | int rc; |
| 840 | const CmdOrPage *pCmd = 0; |
| 841 | |
| 842 | style_set_current_feature("tkt"); |
| 843 | style_header("Help: %h", zCmd); |
| 844 | |
| 845 | style_submenu_element("Command-List", "%R/help"); |
| 846 | if( search_restrict(SRCH_HELP)!=0 ){ |
| 847 | style_submenu_element("Search","%R/search?y=h"); |
| 848 | } |
| 849 |
+8
-8
| --- src/doc.c | ||
| +++ src/doc.c | ||
| @@ -791,14 +791,14 @@ | ||
| 791 | 791 | blob_init(&title,0,0); |
| 792 | 792 | if( fossil_strcmp(zMime, "text/x-fossil-wiki")==0 ){ |
| 793 | 793 | Blob tail = BLOB_INITIALIZER; |
| 794 | 794 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 795 | 795 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 796 | - if( !isPopup ) style_header("%s", blob_str(&title)); | |
| 796 | + if( !isPopup ) style_header("%h", blob_str(&title)); | |
| 797 | 797 | wiki_convert(&tail, 0, WIKI_BUTTONS); |
| 798 | 798 | }else{ |
| 799 | - if( !isPopup ) style_header("%s", zDefaultTitle); | |
| 799 | + if( !isPopup ) style_header("%h", zDefaultTitle); | |
| 800 | 800 | wiki_convert(pBody, 0, WIKI_BUTTONS); |
| 801 | 801 | } |
| 802 | 802 | if( !isPopup ){ |
| 803 | 803 | document_emit_js(); |
| 804 | 804 | style_finish_page(); |
| @@ -807,40 +807,40 @@ | ||
| 807 | 807 | }else if( fossil_strcmp(zMime, "text/x-markdown")==0 ){ |
| 808 | 808 | Blob tail = BLOB_INITIALIZER; |
| 809 | 809 | markdown_to_html(pBody, &title, &tail); |
| 810 | 810 | if( !isPopup ){ |
| 811 | 811 | if( blob_size(&title)>0 ){ |
| 812 | - style_header("%s", blob_str(&title)); | |
| 812 | + style_header("%h", blob_str(&title)); | |
| 813 | 813 | }else{ |
| 814 | - style_header("%s", zDefaultTitle); | |
| 814 | + style_header("%h", zDefaultTitle); | |
| 815 | 815 | } |
| 816 | 816 | } |
| 817 | 817 | convert_href_and_output(&tail); |
| 818 | 818 | if( !isPopup ){ |
| 819 | 819 | document_emit_js(); |
| 820 | 820 | style_finish_page(); |
| 821 | 821 | } |
| 822 | 822 | blob_reset(&tail); |
| 823 | 823 | }else if( fossil_strcmp(zMime, "text/plain")==0 ){ |
| 824 | - style_header("%s", zDefaultTitle); | |
| 824 | + style_header("%h", zDefaultTitle); | |
| 825 | 825 | @ <blockquote><pre> |
| 826 | 826 | @ %h(blob_str(pBody)) |
| 827 | 827 | @ </pre></blockquote> |
| 828 | 828 | document_emit_js(); |
| 829 | 829 | style_finish_page(); |
| 830 | 830 | }else if( fossil_strcmp(zMime, "text/html")==0 |
| 831 | 831 | && doc_is_embedded_html(pBody, &title) ){ |
| 832 | 832 | if( blob_size(&title)==0 ) blob_append(&title,zFilename,-1); |
| 833 | - if( !isPopup ) style_header("%s", blob_str(&title)); | |
| 833 | + if( !isPopup ) style_header("%h", blob_str(&title)); | |
| 834 | 834 | convert_href_and_output(pBody); |
| 835 | 835 | if( !isPopup ){ |
| 836 | 836 | document_emit_js(); |
| 837 | 837 | style_finish_page(); |
| 838 | 838 | } |
| 839 | 839 | }else if( fossil_strcmp(zMime, "text/x-pikchr")==0 ){ |
| 840 | 840 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 841 | - if( !isPopup ) style_header("%s", zDefaultTitle); | |
| 841 | + if( !isPopup ) style_header("%h", zDefaultTitle); | |
| 842 | 842 | wiki_render_by_mimetype(pBody, zMime); |
| 843 | 843 | if( !isPopup ) style_finish_page(); |
| 844 | 844 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 845 | 845 | }else if( Th_AreDocsEnabled() && |
| 846 | 846 | fossil_strcmp(zMime, "application/x-th1")==0 ){ |
| @@ -847,11 +847,11 @@ | ||
| 847 | 847 | int raw = P("raw")!=0; |
| 848 | 848 | if( !raw ){ |
| 849 | 849 | Blob tail; |
| 850 | 850 | blob_zero(&tail); |
| 851 | 851 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 852 | - style_header("%s", blob_str(&title)); | |
| 852 | + style_header("%h", blob_str(&title)); | |
| 853 | 853 | Th_Render(blob_str(&tail)); |
| 854 | 854 | blob_reset(&tail); |
| 855 | 855 | }else{ |
| 856 | 856 | style_header("%h", zFilename); |
| 857 | 857 | Th_Render(blob_str(pBody)); |
| 858 | 858 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -791,14 +791,14 @@ | |
| 791 | blob_init(&title,0,0); |
| 792 | if( fossil_strcmp(zMime, "text/x-fossil-wiki")==0 ){ |
| 793 | Blob tail = BLOB_INITIALIZER; |
| 794 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 795 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 796 | if( !isPopup ) style_header("%s", blob_str(&title)); |
| 797 | wiki_convert(&tail, 0, WIKI_BUTTONS); |
| 798 | }else{ |
| 799 | if( !isPopup ) style_header("%s", zDefaultTitle); |
| 800 | wiki_convert(pBody, 0, WIKI_BUTTONS); |
| 801 | } |
| 802 | if( !isPopup ){ |
| 803 | document_emit_js(); |
| 804 | style_finish_page(); |
| @@ -807,40 +807,40 @@ | |
| 807 | }else if( fossil_strcmp(zMime, "text/x-markdown")==0 ){ |
| 808 | Blob tail = BLOB_INITIALIZER; |
| 809 | markdown_to_html(pBody, &title, &tail); |
| 810 | if( !isPopup ){ |
| 811 | if( blob_size(&title)>0 ){ |
| 812 | style_header("%s", blob_str(&title)); |
| 813 | }else{ |
| 814 | style_header("%s", zDefaultTitle); |
| 815 | } |
| 816 | } |
| 817 | convert_href_and_output(&tail); |
| 818 | if( !isPopup ){ |
| 819 | document_emit_js(); |
| 820 | style_finish_page(); |
| 821 | } |
| 822 | blob_reset(&tail); |
| 823 | }else if( fossil_strcmp(zMime, "text/plain")==0 ){ |
| 824 | style_header("%s", zDefaultTitle); |
| 825 | @ <blockquote><pre> |
| 826 | @ %h(blob_str(pBody)) |
| 827 | @ </pre></blockquote> |
| 828 | document_emit_js(); |
| 829 | style_finish_page(); |
| 830 | }else if( fossil_strcmp(zMime, "text/html")==0 |
| 831 | && doc_is_embedded_html(pBody, &title) ){ |
| 832 | if( blob_size(&title)==0 ) blob_append(&title,zFilename,-1); |
| 833 | if( !isPopup ) style_header("%s", blob_str(&title)); |
| 834 | convert_href_and_output(pBody); |
| 835 | if( !isPopup ){ |
| 836 | document_emit_js(); |
| 837 | style_finish_page(); |
| 838 | } |
| 839 | }else if( fossil_strcmp(zMime, "text/x-pikchr")==0 ){ |
| 840 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 841 | if( !isPopup ) style_header("%s", zDefaultTitle); |
| 842 | wiki_render_by_mimetype(pBody, zMime); |
| 843 | if( !isPopup ) style_finish_page(); |
| 844 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 845 | }else if( Th_AreDocsEnabled() && |
| 846 | fossil_strcmp(zMime, "application/x-th1")==0 ){ |
| @@ -847,11 +847,11 @@ | |
| 847 | int raw = P("raw")!=0; |
| 848 | if( !raw ){ |
| 849 | Blob tail; |
| 850 | blob_zero(&tail); |
| 851 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 852 | style_header("%s", blob_str(&title)); |
| 853 | Th_Render(blob_str(&tail)); |
| 854 | blob_reset(&tail); |
| 855 | }else{ |
| 856 | style_header("%h", zFilename); |
| 857 | Th_Render(blob_str(pBody)); |
| 858 |
| --- src/doc.c | |
| +++ src/doc.c | |
| @@ -791,14 +791,14 @@ | |
| 791 | blob_init(&title,0,0); |
| 792 | if( fossil_strcmp(zMime, "text/x-fossil-wiki")==0 ){ |
| 793 | Blob tail = BLOB_INITIALIZER; |
| 794 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 795 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 796 | if( !isPopup ) style_header("%h", blob_str(&title)); |
| 797 | wiki_convert(&tail, 0, WIKI_BUTTONS); |
| 798 | }else{ |
| 799 | if( !isPopup ) style_header("%h", zDefaultTitle); |
| 800 | wiki_convert(pBody, 0, WIKI_BUTTONS); |
| 801 | } |
| 802 | if( !isPopup ){ |
| 803 | document_emit_js(); |
| 804 | style_finish_page(); |
| @@ -807,40 +807,40 @@ | |
| 807 | }else if( fossil_strcmp(zMime, "text/x-markdown")==0 ){ |
| 808 | Blob tail = BLOB_INITIALIZER; |
| 809 | markdown_to_html(pBody, &title, &tail); |
| 810 | if( !isPopup ){ |
| 811 | if( blob_size(&title)>0 ){ |
| 812 | style_header("%h", blob_str(&title)); |
| 813 | }else{ |
| 814 | style_header("%h", zDefaultTitle); |
| 815 | } |
| 816 | } |
| 817 | convert_href_and_output(&tail); |
| 818 | if( !isPopup ){ |
| 819 | document_emit_js(); |
| 820 | style_finish_page(); |
| 821 | } |
| 822 | blob_reset(&tail); |
| 823 | }else if( fossil_strcmp(zMime, "text/plain")==0 ){ |
| 824 | style_header("%h", zDefaultTitle); |
| 825 | @ <blockquote><pre> |
| 826 | @ %h(blob_str(pBody)) |
| 827 | @ </pre></blockquote> |
| 828 | document_emit_js(); |
| 829 | style_finish_page(); |
| 830 | }else if( fossil_strcmp(zMime, "text/html")==0 |
| 831 | && doc_is_embedded_html(pBody, &title) ){ |
| 832 | if( blob_size(&title)==0 ) blob_append(&title,zFilename,-1); |
| 833 | if( !isPopup ) style_header("%h", blob_str(&title)); |
| 834 | convert_href_and_output(pBody); |
| 835 | if( !isPopup ){ |
| 836 | document_emit_js(); |
| 837 | style_finish_page(); |
| 838 | } |
| 839 | }else if( fossil_strcmp(zMime, "text/x-pikchr")==0 ){ |
| 840 | style_adunit_config(ADUNIT_RIGHT_OK); |
| 841 | if( !isPopup ) style_header("%h", zDefaultTitle); |
| 842 | wiki_render_by_mimetype(pBody, zMime); |
| 843 | if( !isPopup ) style_finish_page(); |
| 844 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 845 | }else if( Th_AreDocsEnabled() && |
| 846 | fossil_strcmp(zMime, "application/x-th1")==0 ){ |
| @@ -847,11 +847,11 @@ | |
| 847 | int raw = P("raw")!=0; |
| 848 | if( !raw ){ |
| 849 | Blob tail; |
| 850 | blob_zero(&tail); |
| 851 | if( wiki_find_title(pBody, &title, &tail) ){ |
| 852 | style_header("%h", blob_str(&title)); |
| 853 | Th_Render(blob_str(&tail)); |
| 854 | blob_reset(&tail); |
| 855 | }else{ |
| 856 | style_header("%h", zFilename); |
| 857 | Th_Render(blob_str(pBody)); |
| 858 |
+1
-1
| --- src/event.c | ||
| +++ src/event.c | ||
| @@ -152,11 +152,11 @@ | ||
| 152 | 152 | } |
| 153 | 153 | }else{ |
| 154 | 154 | blob_appendf(&title, "Tech-note %S", zId); |
| 155 | 155 | tail = fullbody; |
| 156 | 156 | } |
| 157 | - style_header("%s", blob_str(&title)); | |
| 157 | + style_header("%h", blob_str(&title)); | |
| 158 | 158 | if( g.perm.WrWiki && g.perm.Write && nextRid==0 ){ |
| 159 | 159 | style_submenu_element("Edit", "%R/technoteedit?name=%!S", zId); |
| 160 | 160 | if( g.perm.Attach ){ |
| 161 | 161 | style_submenu_element("Attach", |
| 162 | 162 | "%R/attachadd?technote=%!S&from=%R/technote/%!S", zId, zId); |
| 163 | 163 |
| --- src/event.c | |
| +++ src/event.c | |
| @@ -152,11 +152,11 @@ | |
| 152 | } |
| 153 | }else{ |
| 154 | blob_appendf(&title, "Tech-note %S", zId); |
| 155 | tail = fullbody; |
| 156 | } |
| 157 | style_header("%s", blob_str(&title)); |
| 158 | if( g.perm.WrWiki && g.perm.Write && nextRid==0 ){ |
| 159 | style_submenu_element("Edit", "%R/technoteedit?name=%!S", zId); |
| 160 | if( g.perm.Attach ){ |
| 161 | style_submenu_element("Attach", |
| 162 | "%R/attachadd?technote=%!S&from=%R/technote/%!S", zId, zId); |
| 163 |
| --- src/event.c | |
| +++ src/event.c | |
| @@ -152,11 +152,11 @@ | |
| 152 | } |
| 153 | }else{ |
| 154 | blob_appendf(&title, "Tech-note %S", zId); |
| 155 | tail = fullbody; |
| 156 | } |
| 157 | style_header("%h", blob_str(&title)); |
| 158 | if( g.perm.WrWiki && g.perm.Write && nextRid==0 ){ |
| 159 | style_submenu_element("Edit", "%R/technoteedit?name=%!S", zId); |
| 160 | if( g.perm.Attach ){ |
| 161 | style_submenu_element("Attach", |
| 162 | "%R/attachadd?technote=%!S&from=%R/technote/%!S", zId, zId); |
| 163 |
+2
-2
| --- src/finfo.c | ||
| +++ src/finfo.c | ||
| @@ -384,13 +384,13 @@ | ||
| 384 | 384 | fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename); |
| 385 | 385 | ridCi = zCI ? name_to_rid_www("ci") : 0; |
| 386 | 386 | if( fnid==0 ){ |
| 387 | 387 | style_header("No such file"); |
| 388 | 388 | }else if( ridCi==0 ){ |
| 389 | - style_header("All files named \"%s\"", zFilename); | |
| 389 | + style_header("All files named \"%h\"", zFilename); | |
| 390 | 390 | }else{ |
| 391 | - style_header("History of %s of %s",zFilename, zCI); | |
| 391 | + style_header("History of %h of %h",zFilename, zCI); | |
| 392 | 392 | } |
| 393 | 393 | login_anonymous_available(); |
| 394 | 394 | tmFlags = timeline_ss_submenu(); |
| 395 | 395 | if( tmFlags & TIMELINE_COLUMNAR ){ |
| 396 | 396 | zStyle = "Columnar"; |
| 397 | 397 |
| --- src/finfo.c | |
| +++ src/finfo.c | |
| @@ -384,13 +384,13 @@ | |
| 384 | fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename); |
| 385 | ridCi = zCI ? name_to_rid_www("ci") : 0; |
| 386 | if( fnid==0 ){ |
| 387 | style_header("No such file"); |
| 388 | }else if( ridCi==0 ){ |
| 389 | style_header("All files named \"%s\"", zFilename); |
| 390 | }else{ |
| 391 | style_header("History of %s of %s",zFilename, zCI); |
| 392 | } |
| 393 | login_anonymous_available(); |
| 394 | tmFlags = timeline_ss_submenu(); |
| 395 | if( tmFlags & TIMELINE_COLUMNAR ){ |
| 396 | zStyle = "Columnar"; |
| 397 |
| --- src/finfo.c | |
| +++ src/finfo.c | |
| @@ -384,13 +384,13 @@ | |
| 384 | fnid = db_int(0, "SELECT fnid FROM filename WHERE name=%Q", zFilename); |
| 385 | ridCi = zCI ? name_to_rid_www("ci") : 0; |
| 386 | if( fnid==0 ){ |
| 387 | style_header("No such file"); |
| 388 | }else if( ridCi==0 ){ |
| 389 | style_header("All files named \"%h\"", zFilename); |
| 390 | }else{ |
| 391 | style_header("History of %h of %h",zFilename, zCI); |
| 392 | } |
| 393 | login_anonymous_available(); |
| 394 | tmFlags = timeline_ss_submenu(); |
| 395 | if( tmFlags & TIMELINE_COLUMNAR ){ |
| 396 | zStyle = "Columnar"; |
| 397 |
+2
-2
| --- src/forum.c | ||
| +++ src/forum.c | ||
| @@ -1209,11 +1209,11 @@ | ||
| 1209 | 1209 | " WHERE event.objid=forumpost.fpid" |
| 1210 | 1210 | " AND forumpost.fpid=%d;", |
| 1211 | 1211 | fpid |
| 1212 | 1212 | ); |
| 1213 | 1213 | style_set_current_feature("forum"); |
| 1214 | - style_header("%s%s", zThreadTitle, *zThreadTitle ? "" : "Forum"); | |
| 1214 | + style_header("%h%s", zThreadTitle, *zThreadTitle ? "" : "Forum"); | |
| 1215 | 1215 | fossil_free(zThreadTitle); |
| 1216 | 1216 | if( mode!=FD_CHRONO ){ |
| 1217 | 1217 | style_submenu_element("Chronological", "%R/%s/%s?t=c%s%s", g.zPath, zName, |
| 1218 | 1218 | bUnf ? "&unf" : "", bHist ? "&hist" : ""); |
| 1219 | 1219 | } |
| @@ -1934,11 +1934,11 @@ | ||
| 1934 | 1934 | login_needed(g.anon.RdForum); |
| 1935 | 1935 | return; |
| 1936 | 1936 | } |
| 1937 | 1937 | cgi_check_for_malice(); |
| 1938 | 1938 | style_set_current_feature("forum"); |
| 1939 | - style_header("%s%s", db_get("forum-title","Forum"), | |
| 1939 | + style_header("%h%s", db_get("forum-title","Forum"), | |
| 1940 | 1940 | isSearch ? " Search Results" : ""); |
| 1941 | 1941 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1942 | 1942 | if( g.perm.WrForum ){ |
| 1943 | 1943 | style_submenu_element("New Thread","%R/forumnew"); |
| 1944 | 1944 | }else{ |
| 1945 | 1945 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -1209,11 +1209,11 @@ | |
| 1209 | " WHERE event.objid=forumpost.fpid" |
| 1210 | " AND forumpost.fpid=%d;", |
| 1211 | fpid |
| 1212 | ); |
| 1213 | style_set_current_feature("forum"); |
| 1214 | style_header("%s%s", zThreadTitle, *zThreadTitle ? "" : "Forum"); |
| 1215 | fossil_free(zThreadTitle); |
| 1216 | if( mode!=FD_CHRONO ){ |
| 1217 | style_submenu_element("Chronological", "%R/%s/%s?t=c%s%s", g.zPath, zName, |
| 1218 | bUnf ? "&unf" : "", bHist ? "&hist" : ""); |
| 1219 | } |
| @@ -1934,11 +1934,11 @@ | |
| 1934 | login_needed(g.anon.RdForum); |
| 1935 | return; |
| 1936 | } |
| 1937 | cgi_check_for_malice(); |
| 1938 | style_set_current_feature("forum"); |
| 1939 | style_header("%s%s", db_get("forum-title","Forum"), |
| 1940 | isSearch ? " Search Results" : ""); |
| 1941 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1942 | if( g.perm.WrForum ){ |
| 1943 | style_submenu_element("New Thread","%R/forumnew"); |
| 1944 | }else{ |
| 1945 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -1209,11 +1209,11 @@ | |
| 1209 | " WHERE event.objid=forumpost.fpid" |
| 1210 | " AND forumpost.fpid=%d;", |
| 1211 | fpid |
| 1212 | ); |
| 1213 | style_set_current_feature("forum"); |
| 1214 | style_header("%h%s", zThreadTitle, *zThreadTitle ? "" : "Forum"); |
| 1215 | fossil_free(zThreadTitle); |
| 1216 | if( mode!=FD_CHRONO ){ |
| 1217 | style_submenu_element("Chronological", "%R/%s/%s?t=c%s%s", g.zPath, zName, |
| 1218 | bUnf ? "&unf" : "", bHist ? "&hist" : ""); |
| 1219 | } |
| @@ -1934,11 +1934,11 @@ | |
| 1934 | login_needed(g.anon.RdForum); |
| 1935 | return; |
| 1936 | } |
| 1937 | cgi_check_for_malice(); |
| 1938 | style_set_current_feature("forum"); |
| 1939 | style_header("%h%s", db_get("forum-title","Forum"), |
| 1940 | isSearch ? " Search Results" : ""); |
| 1941 | style_submenu_element("Timeline", "%R/timeline?ss=v&y=f&vfx"); |
| 1942 | if( g.perm.WrForum ){ |
| 1943 | style_submenu_element("New Thread","%R/forumnew"); |
| 1944 | }else{ |
| 1945 |
+2
-2
| --- src/info.c | ||
| +++ src/info.c | ||
| @@ -2928,11 +2928,11 @@ | ||
| 2928 | 2928 | }else if( descOnly ){ |
| 2929 | 2929 | zHeader = mprintf("Artifact Description [%S]", zUuid); |
| 2930 | 2930 | }else{ |
| 2931 | 2931 | zHeader = mprintf("Artifact [%S]", zUuid); |
| 2932 | 2932 | } |
| 2933 | - style_header("%s", zHeader); | |
| 2933 | + style_header("%h", zHeader); | |
| 2934 | 2934 | fossil_free(zCIUuid); |
| 2935 | 2935 | fossil_free(zHeader); |
| 2936 | 2936 | if( !isFile && g.perm.Admin ){ |
| 2937 | 2937 | Stmt q; |
| 2938 | 2938 | db_prepare(&q, |
| @@ -3703,11 +3703,11 @@ | ||
| 3703 | 3703 | cgi_redirectf("%R/ci/%S", zUuid); |
| 3704 | 3704 | } |
| 3705 | 3705 | blob_zero(&comment); |
| 3706 | 3706 | blob_append(&comment, zNewComment, -1); |
| 3707 | 3707 | zUuid[10] = 0; |
| 3708 | - style_header("Edit Check-in [%s]", zUuid); | |
| 3708 | + style_header("Edit Check-in [%h]", zUuid); | |
| 3709 | 3709 | if( P("preview") ){ |
| 3710 | 3710 | Blob suffix; |
| 3711 | 3711 | int nTag = 0; |
| 3712 | 3712 | @ <b>Preview:</b> |
| 3713 | 3713 | @ <blockquote> |
| 3714 | 3714 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2928,11 +2928,11 @@ | |
| 2928 | }else if( descOnly ){ |
| 2929 | zHeader = mprintf("Artifact Description [%S]", zUuid); |
| 2930 | }else{ |
| 2931 | zHeader = mprintf("Artifact [%S]", zUuid); |
| 2932 | } |
| 2933 | style_header("%s", zHeader); |
| 2934 | fossil_free(zCIUuid); |
| 2935 | fossil_free(zHeader); |
| 2936 | if( !isFile && g.perm.Admin ){ |
| 2937 | Stmt q; |
| 2938 | db_prepare(&q, |
| @@ -3703,11 +3703,11 @@ | |
| 3703 | cgi_redirectf("%R/ci/%S", zUuid); |
| 3704 | } |
| 3705 | blob_zero(&comment); |
| 3706 | blob_append(&comment, zNewComment, -1); |
| 3707 | zUuid[10] = 0; |
| 3708 | style_header("Edit Check-in [%s]", zUuid); |
| 3709 | if( P("preview") ){ |
| 3710 | Blob suffix; |
| 3711 | int nTag = 0; |
| 3712 | @ <b>Preview:</b> |
| 3713 | @ <blockquote> |
| 3714 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2928,11 +2928,11 @@ | |
| 2928 | }else if( descOnly ){ |
| 2929 | zHeader = mprintf("Artifact Description [%S]", zUuid); |
| 2930 | }else{ |
| 2931 | zHeader = mprintf("Artifact [%S]", zUuid); |
| 2932 | } |
| 2933 | style_header("%h", zHeader); |
| 2934 | fossil_free(zCIUuid); |
| 2935 | fossil_free(zHeader); |
| 2936 | if( !isFile && g.perm.Admin ){ |
| 2937 | Stmt q; |
| 2938 | db_prepare(&q, |
| @@ -3703,11 +3703,11 @@ | |
| 3703 | cgi_redirectf("%R/ci/%S", zUuid); |
| 3704 | } |
| 3705 | blob_zero(&comment); |
| 3706 | blob_append(&comment, zNewComment, -1); |
| 3707 | zUuid[10] = 0; |
| 3708 | style_header("Edit Check-in [%h]", zUuid); |
| 3709 | if( P("preview") ){ |
| 3710 | Blob suffix; |
| 3711 | int nTag = 0; |
| 3712 | @ <b>Preview:</b> |
| 3713 | @ <blockquote> |
| 3714 |
+1
-1
| --- src/report.c | ||
| +++ src/report.c | ||
| @@ -1213,11 +1213,11 @@ | ||
| 1213 | 1213 | style_submenu_element("SQL", "%R/rptsql/%d",rn); |
| 1214 | 1214 | } |
| 1215 | 1215 | if( g.perm.NewTkt ){ |
| 1216 | 1216 | style_submenu_element("New Ticket", "%R/tktnew"); |
| 1217 | 1217 | } |
| 1218 | - style_header("%s", zTitle); | |
| 1218 | + style_header("%h", zTitle); | |
| 1219 | 1219 | } |
| 1220 | 1220 | if( zDesc && zDesc[0] && zMimetype ){ |
| 1221 | 1221 | Blob src; |
| 1222 | 1222 | blob_init(&src, zDesc, -1); |
| 1223 | 1223 | wiki_render_by_mimetype(&src, zMimetype); |
| 1224 | 1224 |
| --- src/report.c | |
| +++ src/report.c | |
| @@ -1213,11 +1213,11 @@ | |
| 1213 | style_submenu_element("SQL", "%R/rptsql/%d",rn); |
| 1214 | } |
| 1215 | if( g.perm.NewTkt ){ |
| 1216 | style_submenu_element("New Ticket", "%R/tktnew"); |
| 1217 | } |
| 1218 | style_header("%s", zTitle); |
| 1219 | } |
| 1220 | if( zDesc && zDesc[0] && zMimetype ){ |
| 1221 | Blob src; |
| 1222 | blob_init(&src, zDesc, -1); |
| 1223 | wiki_render_by_mimetype(&src, zMimetype); |
| 1224 |
| --- src/report.c | |
| +++ src/report.c | |
| @@ -1213,11 +1213,11 @@ | |
| 1213 | style_submenu_element("SQL", "%R/rptsql/%d",rn); |
| 1214 | } |
| 1215 | if( g.perm.NewTkt ){ |
| 1216 | style_submenu_element("New Ticket", "%R/tktnew"); |
| 1217 | } |
| 1218 | style_header("%h", zTitle); |
| 1219 | } |
| 1220 | if( zDesc && zDesc[0] && zMimetype ){ |
| 1221 | Blob src; |
| 1222 | blob_init(&src, zDesc, -1); |
| 1223 | wiki_render_by_mimetype(&src, zMimetype); |
| 1224 |
+1
-1
| --- src/skins.c | ||
| +++ src/skins.c | ||
| @@ -996,11 +996,11 @@ | ||
| 996 | 996 | isRevert = 1; |
| 997 | 997 | } |
| 998 | 998 | |
| 999 | 999 | db_begin_transaction(); |
| 1000 | 1000 | style_set_current_feature("skins"); |
| 1001 | - style_header("%s", zTitle); | |
| 1001 | + style_header("%h", zTitle); | |
| 1002 | 1002 | for(j=0; j<count(aSkinAttr); j++){ |
| 1003 | 1003 | style_submenu_element(aSkinAttr[j].zSubmenu, |
| 1004 | 1004 | "%R/setup_skinedit?w=%d&basis=%h&sk=%d",j,zBasis,iSkin); |
| 1005 | 1005 | } |
| 1006 | 1006 | @ <form action="%R/setup_skinedit" method="post"><div> |
| 1007 | 1007 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -996,11 +996,11 @@ | |
| 996 | isRevert = 1; |
| 997 | } |
| 998 | |
| 999 | db_begin_transaction(); |
| 1000 | style_set_current_feature("skins"); |
| 1001 | style_header("%s", zTitle); |
| 1002 | for(j=0; j<count(aSkinAttr); j++){ |
| 1003 | style_submenu_element(aSkinAttr[j].zSubmenu, |
| 1004 | "%R/setup_skinedit?w=%d&basis=%h&sk=%d",j,zBasis,iSkin); |
| 1005 | } |
| 1006 | @ <form action="%R/setup_skinedit" method="post"><div> |
| 1007 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -996,11 +996,11 @@ | |
| 996 | isRevert = 1; |
| 997 | } |
| 998 | |
| 999 | db_begin_transaction(); |
| 1000 | style_set_current_feature("skins"); |
| 1001 | style_header("%h", zTitle); |
| 1002 | for(j=0; j<count(aSkinAttr); j++){ |
| 1003 | style_submenu_element(aSkinAttr[j].zSubmenu, |
| 1004 | "%R/setup_skinedit?w=%d&basis=%h&sk=%d",j,zBasis,iSkin); |
| 1005 | } |
| 1006 | @ <form action="%R/setup_skinedit" method="post"><div> |
| 1007 |
+1
-1
| --- src/th_main.c | ||
| +++ src/th_main.c | ||
| @@ -1540,11 +1540,11 @@ | ||
| 1540 | 1540 | ){ |
| 1541 | 1541 | if( argc!=2 ){ |
| 1542 | 1542 | return Th_WrongNumArgs(interp, "styleHeader TITLE"); |
| 1543 | 1543 | } |
| 1544 | 1544 | if( Th_IsRepositoryOpen() ){ |
| 1545 | - style_header("%s", argv[1]); | |
| 1545 | + style_header("%h", argv[1]); | |
| 1546 | 1546 | Th_SetResult(interp, 0, 0); |
| 1547 | 1547 | return TH_OK; |
| 1548 | 1548 | }else{ |
| 1549 | 1549 | Th_SetResult(interp, "repository unavailable", -1); |
| 1550 | 1550 | return TH_ERROR; |
| 1551 | 1551 |
| --- src/th_main.c | |
| +++ src/th_main.c | |
| @@ -1540,11 +1540,11 @@ | |
| 1540 | ){ |
| 1541 | if( argc!=2 ){ |
| 1542 | return Th_WrongNumArgs(interp, "styleHeader TITLE"); |
| 1543 | } |
| 1544 | if( Th_IsRepositoryOpen() ){ |
| 1545 | style_header("%s", argv[1]); |
| 1546 | Th_SetResult(interp, 0, 0); |
| 1547 | return TH_OK; |
| 1548 | }else{ |
| 1549 | Th_SetResult(interp, "repository unavailable", -1); |
| 1550 | return TH_ERROR; |
| 1551 |
| --- src/th_main.c | |
| +++ src/th_main.c | |
| @@ -1540,11 +1540,11 @@ | |
| 1540 | ){ |
| 1541 | if( argc!=2 ){ |
| 1542 | return Th_WrongNumArgs(interp, "styleHeader TITLE"); |
| 1543 | } |
| 1544 | if( Th_IsRepositoryOpen() ){ |
| 1545 | style_header("%h", argv[1]); |
| 1546 | Th_SetResult(interp, 0, 0); |
| 1547 | return TH_OK; |
| 1548 | }else{ |
| 1549 | Th_SetResult(interp, "repository unavailable", -1); |
| 1550 | return TH_ERROR; |
| 1551 |
+4
-2
| --- src/tkt.c | ||
| +++ src/tkt.c | ||
| @@ -1250,11 +1250,12 @@ | ||
| 1250 | 1250 | zTitle = mprintf("Check-ins Associated With Ticket %h", zUuid); |
| 1251 | 1251 | }else{ |
| 1252 | 1252 | zTitle = mprintf("Timeline Of Ticket %h", zUuid); |
| 1253 | 1253 | } |
| 1254 | 1254 | style_set_current_feature("tkt"); |
| 1255 | - style_header("%z", zTitle); | |
| 1255 | + style_header("%h", zTitle); | |
| 1256 | + fossil_free(zTitle); | |
| 1256 | 1257 | |
| 1257 | 1258 | sqlite3_snprintf(6, zGlobPattern, "%s", zUuid); |
| 1258 | 1259 | canonical16(zGlobPattern, strlen(zGlobPattern)); |
| 1259 | 1260 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1260 | 1261 | if( tagid==0 ){ |
| @@ -1306,11 +1307,12 @@ | ||
| 1306 | 1307 | style_submenu_element("Decoded", "%R/tkthistory/%s", zUuid); |
| 1307 | 1308 | }else if( g.perm.Admin ){ |
| 1308 | 1309 | style_submenu_element("Raw", "%R/tkthistory/%s?raw", zUuid); |
| 1309 | 1310 | } |
| 1310 | 1311 | style_set_current_feature("tkt"); |
| 1311 | - style_header("%z", zTitle); | |
| 1312 | + style_header("%h", zTitle); | |
| 1313 | + fossil_free(zTitle); | |
| 1312 | 1314 | |
| 1313 | 1315 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1314 | 1316 | if( tagid==0 ){ |
| 1315 | 1317 | @ No such ticket: %h(zUuid) |
| 1316 | 1318 | style_finish_page(); |
| 1317 | 1319 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -1250,11 +1250,12 @@ | |
| 1250 | zTitle = mprintf("Check-ins Associated With Ticket %h", zUuid); |
| 1251 | }else{ |
| 1252 | zTitle = mprintf("Timeline Of Ticket %h", zUuid); |
| 1253 | } |
| 1254 | style_set_current_feature("tkt"); |
| 1255 | style_header("%z", zTitle); |
| 1256 | |
| 1257 | sqlite3_snprintf(6, zGlobPattern, "%s", zUuid); |
| 1258 | canonical16(zGlobPattern, strlen(zGlobPattern)); |
| 1259 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1260 | if( tagid==0 ){ |
| @@ -1306,11 +1307,12 @@ | |
| 1306 | style_submenu_element("Decoded", "%R/tkthistory/%s", zUuid); |
| 1307 | }else if( g.perm.Admin ){ |
| 1308 | style_submenu_element("Raw", "%R/tkthistory/%s?raw", zUuid); |
| 1309 | } |
| 1310 | style_set_current_feature("tkt"); |
| 1311 | style_header("%z", zTitle); |
| 1312 | |
| 1313 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1314 | if( tagid==0 ){ |
| 1315 | @ No such ticket: %h(zUuid) |
| 1316 | style_finish_page(); |
| 1317 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -1250,11 +1250,12 @@ | |
| 1250 | zTitle = mprintf("Check-ins Associated With Ticket %h", zUuid); |
| 1251 | }else{ |
| 1252 | zTitle = mprintf("Timeline Of Ticket %h", zUuid); |
| 1253 | } |
| 1254 | style_set_current_feature("tkt"); |
| 1255 | style_header("%h", zTitle); |
| 1256 | fossil_free(zTitle); |
| 1257 | |
| 1258 | sqlite3_snprintf(6, zGlobPattern, "%s", zUuid); |
| 1259 | canonical16(zGlobPattern, strlen(zGlobPattern)); |
| 1260 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1261 | if( tagid==0 ){ |
| @@ -1306,11 +1307,12 @@ | |
| 1307 | style_submenu_element("Decoded", "%R/tkthistory/%s", zUuid); |
| 1308 | }else if( g.perm.Admin ){ |
| 1309 | style_submenu_element("Raw", "%R/tkthistory/%s?raw", zUuid); |
| 1310 | } |
| 1311 | style_set_current_feature("tkt"); |
| 1312 | style_header("%h", zTitle); |
| 1313 | fossil_free(zTitle); |
| 1314 | |
| 1315 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname GLOB 'tkt-%q*'",zUuid); |
| 1316 | if( tagid==0 ){ |
| 1317 | @ No such ticket: %h(zUuid) |
| 1318 | style_finish_page(); |
| 1319 |
+1
-1
| --- src/tktsetup.c | ||
| +++ src/tktsetup.c | ||
| @@ -134,11 +134,11 @@ | ||
| 134 | 134 | z = P("x"); |
| 135 | 135 | if( z==0 ){ |
| 136 | 136 | z = db_get(zDbField, zDfltValue); |
| 137 | 137 | } |
| 138 | 138 | style_set_current_feature("tktsetup"); |
| 139 | - style_header("Edit %s", zTitle); | |
| 139 | + style_header("Edit %h", zTitle); | |
| 140 | 140 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 141 | 141 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 142 | 142 | if( xRebuild ) xRebuild(); |
| 143 | 143 | cgi_redirect("tktsetup"); |
| 144 | 144 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 145 | 145 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -134,11 +134,11 @@ | |
| 134 | z = P("x"); |
| 135 | if( z==0 ){ |
| 136 | z = db_get(zDbField, zDfltValue); |
| 137 | } |
| 138 | style_set_current_feature("tktsetup"); |
| 139 | style_header("Edit %s", zTitle); |
| 140 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 141 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 142 | if( xRebuild ) xRebuild(); |
| 143 | cgi_redirect("tktsetup"); |
| 144 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 145 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -134,11 +134,11 @@ | |
| 134 | z = P("x"); |
| 135 | if( z==0 ){ |
| 136 | z = db_get(zDbField, zDfltValue); |
| 137 | } |
| 138 | style_set_current_feature("tktsetup"); |
| 139 | style_header("Edit %h", zTitle); |
| 140 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 141 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 142 | if( xRebuild ) xRebuild(); |
| 143 | cgi_redirect("tktsetup"); |
| 144 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 145 |
+4
-4
| --- src/wiki.c | ||
| +++ src/wiki.c | ||
| @@ -471,11 +471,11 @@ | ||
| 471 | 471 | ){ |
| 472 | 472 | style_set_current_feature("wiki"); |
| 473 | 473 | if( eType==WIKITYPE_UNKNOWN ) eType = wiki_page_type(zPageName); |
| 474 | 474 | switch( eType ){ |
| 475 | 475 | case WIKITYPE_NORMAL: { |
| 476 | - style_header("%s%s", zExtra, zPageName); | |
| 476 | + style_header("%h%h", zExtra, zPageName); | |
| 477 | 477 | break; |
| 478 | 478 | } |
| 479 | 479 | case WIKITYPE_CHECKIN: { |
| 480 | 480 | zPageName += 8; |
| 481 | 481 | if( zExtra[0]==0 && !P("p") ){ |
| @@ -1718,11 +1718,11 @@ | ||
| 1718 | 1718 | cgi_redirectf("wiki?name=%T", zPageName); |
| 1719 | 1719 | return; |
| 1720 | 1720 | } |
| 1721 | 1721 | style_set_current_page("%T?name=%T", g.zPath, zPageName); |
| 1722 | 1722 | style_set_current_feature("wiki"); |
| 1723 | - style_header("Append Comment To: %s", zPageName); | |
| 1723 | + style_header("Append Comment To: %h", zPageName); | |
| 1724 | 1724 | if( !goodCaptcha ){ |
| 1725 | 1725 | @ <p class="generalError">Error: Incorrect security code.</p> |
| 1726 | 1726 | } |
| 1727 | 1727 | if( isSandbox ){ |
| 1728 | 1728 | @ <p class="generalError">Error: the Sandbox page may not |
| @@ -1776,11 +1776,11 @@ | ||
| 1776 | 1776 | char zAuthor[64]; |
| 1777 | 1777 | login_check_credentials(); |
| 1778 | 1778 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 1779 | 1779 | zPageName = PD("name",""); |
| 1780 | 1780 | style_set_current_feature("wiki"); |
| 1781 | - style_header("History Of %s", zPageName); | |
| 1781 | + style_header("History Of %h", zPageName); | |
| 1782 | 1782 | showRid = P("showid")!=0; |
| 1783 | 1783 | db_prepare(&q, |
| 1784 | 1784 | "SELECT" |
| 1785 | 1785 | " event.mtime," |
| 1786 | 1786 | " blob.uuid," |
| @@ -1920,11 +1920,11 @@ | ||
| 1920 | 1920 | nextRid = wiki_next(wiki_tagid(pW1->zWikiTitle),pW1->rDate); |
| 1921 | 1921 | if( nextRid ){ |
| 1922 | 1922 | style_submenu_element("Next", "%R/wdiff?rid=%d", nextRid); |
| 1923 | 1923 | } |
| 1924 | 1924 | style_set_current_feature("wiki"); |
| 1925 | - style_header("Changes To %s", pW1->zWikiTitle); | |
| 1925 | + style_header("Changes To %h", pW1->zWikiTitle); | |
| 1926 | 1926 | blob_zero(&d); |
| 1927 | 1927 | construct_diff_flags(1, &DCfg); |
| 1928 | 1928 | DCfg.diffFlags |= DIFF_HTML | DIFF_LINENO; |
| 1929 | 1929 | text_diff(&w2, &w1, &d, &DCfg); |
| 1930 | 1930 | @ %s(blob_str(&d)) |
| 1931 | 1931 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -471,11 +471,11 @@ | |
| 471 | ){ |
| 472 | style_set_current_feature("wiki"); |
| 473 | if( eType==WIKITYPE_UNKNOWN ) eType = wiki_page_type(zPageName); |
| 474 | switch( eType ){ |
| 475 | case WIKITYPE_NORMAL: { |
| 476 | style_header("%s%s", zExtra, zPageName); |
| 477 | break; |
| 478 | } |
| 479 | case WIKITYPE_CHECKIN: { |
| 480 | zPageName += 8; |
| 481 | if( zExtra[0]==0 && !P("p") ){ |
| @@ -1718,11 +1718,11 @@ | |
| 1718 | cgi_redirectf("wiki?name=%T", zPageName); |
| 1719 | return; |
| 1720 | } |
| 1721 | style_set_current_page("%T?name=%T", g.zPath, zPageName); |
| 1722 | style_set_current_feature("wiki"); |
| 1723 | style_header("Append Comment To: %s", zPageName); |
| 1724 | if( !goodCaptcha ){ |
| 1725 | @ <p class="generalError">Error: Incorrect security code.</p> |
| 1726 | } |
| 1727 | if( isSandbox ){ |
| 1728 | @ <p class="generalError">Error: the Sandbox page may not |
| @@ -1776,11 +1776,11 @@ | |
| 1776 | char zAuthor[64]; |
| 1777 | login_check_credentials(); |
| 1778 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 1779 | zPageName = PD("name",""); |
| 1780 | style_set_current_feature("wiki"); |
| 1781 | style_header("History Of %s", zPageName); |
| 1782 | showRid = P("showid")!=0; |
| 1783 | db_prepare(&q, |
| 1784 | "SELECT" |
| 1785 | " event.mtime," |
| 1786 | " blob.uuid," |
| @@ -1920,11 +1920,11 @@ | |
| 1920 | nextRid = wiki_next(wiki_tagid(pW1->zWikiTitle),pW1->rDate); |
| 1921 | if( nextRid ){ |
| 1922 | style_submenu_element("Next", "%R/wdiff?rid=%d", nextRid); |
| 1923 | } |
| 1924 | style_set_current_feature("wiki"); |
| 1925 | style_header("Changes To %s", pW1->zWikiTitle); |
| 1926 | blob_zero(&d); |
| 1927 | construct_diff_flags(1, &DCfg); |
| 1928 | DCfg.diffFlags |= DIFF_HTML | DIFF_LINENO; |
| 1929 | text_diff(&w2, &w1, &d, &DCfg); |
| 1930 | @ %s(blob_str(&d)) |
| 1931 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -471,11 +471,11 @@ | |
| 471 | ){ |
| 472 | style_set_current_feature("wiki"); |
| 473 | if( eType==WIKITYPE_UNKNOWN ) eType = wiki_page_type(zPageName); |
| 474 | switch( eType ){ |
| 475 | case WIKITYPE_NORMAL: { |
| 476 | style_header("%h%h", zExtra, zPageName); |
| 477 | break; |
| 478 | } |
| 479 | case WIKITYPE_CHECKIN: { |
| 480 | zPageName += 8; |
| 481 | if( zExtra[0]==0 && !P("p") ){ |
| @@ -1718,11 +1718,11 @@ | |
| 1718 | cgi_redirectf("wiki?name=%T", zPageName); |
| 1719 | return; |
| 1720 | } |
| 1721 | style_set_current_page("%T?name=%T", g.zPath, zPageName); |
| 1722 | style_set_current_feature("wiki"); |
| 1723 | style_header("Append Comment To: %h", zPageName); |
| 1724 | if( !goodCaptcha ){ |
| 1725 | @ <p class="generalError">Error: Incorrect security code.</p> |
| 1726 | } |
| 1727 | if( isSandbox ){ |
| 1728 | @ <p class="generalError">Error: the Sandbox page may not |
| @@ -1776,11 +1776,11 @@ | |
| 1776 | char zAuthor[64]; |
| 1777 | login_check_credentials(); |
| 1778 | if( !g.perm.RdWiki ){ login_needed(g.anon.RdWiki); return; } |
| 1779 | zPageName = PD("name",""); |
| 1780 | style_set_current_feature("wiki"); |
| 1781 | style_header("History Of %h", zPageName); |
| 1782 | showRid = P("showid")!=0; |
| 1783 | db_prepare(&q, |
| 1784 | "SELECT" |
| 1785 | " event.mtime," |
| 1786 | " blob.uuid," |
| @@ -1920,11 +1920,11 @@ | |
| 1920 | nextRid = wiki_next(wiki_tagid(pW1->zWikiTitle),pW1->rDate); |
| 1921 | if( nextRid ){ |
| 1922 | style_submenu_element("Next", "%R/wdiff?rid=%d", nextRid); |
| 1923 | } |
| 1924 | style_set_current_feature("wiki"); |
| 1925 | style_header("Changes To %h", pW1->zWikiTitle); |
| 1926 | blob_zero(&d); |
| 1927 | construct_diff_flags(1, &DCfg); |
| 1928 | DCfg.diffFlags |= DIFF_HTML | DIFF_LINENO; |
| 1929 | text_diff(&w2, &w1, &d, &DCfg); |
| 1930 | @ %s(blob_str(&d)) |
| 1931 |
+1
-1
| --- src/xfersetup.c | ||
| +++ src/xfersetup.c | ||
| @@ -117,11 +117,11 @@ | ||
| 117 | 117 | z = P("x"); |
| 118 | 118 | if( z==0 ){ |
| 119 | 119 | z = db_get(zDbField, zDfltValue); |
| 120 | 120 | } |
| 121 | 121 | style_set_current_feature("xfersetup"); |
| 122 | - style_header("Edit %s", zTitle); | |
| 122 | + style_header("Edit %h", zTitle); | |
| 123 | 123 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 124 | 124 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 125 | 125 | if( xRebuild ) xRebuild(); |
| 126 | 126 | z = zDfltValue; |
| 127 | 127 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 128 | 128 |
| --- src/xfersetup.c | |
| +++ src/xfersetup.c | |
| @@ -117,11 +117,11 @@ | |
| 117 | z = P("x"); |
| 118 | if( z==0 ){ |
| 119 | z = db_get(zDbField, zDfltValue); |
| 120 | } |
| 121 | style_set_current_feature("xfersetup"); |
| 122 | style_header("Edit %s", zTitle); |
| 123 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 124 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 125 | if( xRebuild ) xRebuild(); |
| 126 | z = zDfltValue; |
| 127 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 128 |
| --- src/xfersetup.c | |
| +++ src/xfersetup.c | |
| @@ -117,11 +117,11 @@ | |
| 117 | z = P("x"); |
| 118 | if( z==0 ){ |
| 119 | z = db_get(zDbField, zDfltValue); |
| 120 | } |
| 121 | style_set_current_feature("xfersetup"); |
| 122 | style_header("Edit %h", zTitle); |
| 123 | if( P("clear")!=0 && cgi_csrf_safe(2) ){ |
| 124 | db_unset(zDbField/*works-like:"x"*/, 0); |
| 125 | if( xRebuild ) xRebuild(); |
| 126 | z = zDfltValue; |
| 127 | }else if( isSubmit && cgi_csrf_safe(2) ){ |
| 128 |
+2
-2
| --- src/zip.c | ||
| +++ src/zip.c | ||
| @@ -990,11 +990,11 @@ | ||
| 990 | 990 | zKey = blob_str(&cacheKey); |
| 991 | 991 | etag_check(ETAG_HASH, zKey); |
| 992 | 992 | |
| 993 | 993 | style_set_current_feature("zip"); |
| 994 | 994 | if( P("debug")!=0 ){ |
| 995 | - style_header("%s Archive Generator Debug Screen", zType); | |
| 995 | + style_header("%h Archive Generator Debug Screen", zType); | |
| 996 | 996 | @ zName = "%h(zName)"<br> |
| 997 | 997 | @ rid = %d(rid)<br> |
| 998 | 998 | if( zInclude ){ |
| 999 | 999 | @ zInclude = "%h(zInclude)"<br> |
| 1000 | 1000 | } |
| @@ -1004,11 +1004,11 @@ | ||
| 1004 | 1004 | @ zKey = "%h(zKey)" |
| 1005 | 1005 | style_finish_page(); |
| 1006 | 1006 | return; |
| 1007 | 1007 | } |
| 1008 | 1008 | if( referred_from_login() ){ |
| 1009 | - style_header("%s Archive Download", zType); | |
| 1009 | + style_header("%h Archive Download", zType); | |
| 1010 | 1010 | @ <form action='%R/%s(g.zPath)/%h(zName).%s(g.zPath)'> |
| 1011 | 1011 | cgi_query_parameters_to_hidden(); |
| 1012 | 1012 | @ <p>%s(zType) Archive named <b>%h(zName).%s(g.zPath)</b> |
| 1013 | 1013 | @ holding the content of check-in <b>%h(zRid)</b>: |
| 1014 | 1014 | @ <input type="submit" value="Download"> |
| 1015 | 1015 |
| --- src/zip.c | |
| +++ src/zip.c | |
| @@ -990,11 +990,11 @@ | |
| 990 | zKey = blob_str(&cacheKey); |
| 991 | etag_check(ETAG_HASH, zKey); |
| 992 | |
| 993 | style_set_current_feature("zip"); |
| 994 | if( P("debug")!=0 ){ |
| 995 | style_header("%s Archive Generator Debug Screen", zType); |
| 996 | @ zName = "%h(zName)"<br> |
| 997 | @ rid = %d(rid)<br> |
| 998 | if( zInclude ){ |
| 999 | @ zInclude = "%h(zInclude)"<br> |
| 1000 | } |
| @@ -1004,11 +1004,11 @@ | |
| 1004 | @ zKey = "%h(zKey)" |
| 1005 | style_finish_page(); |
| 1006 | return; |
| 1007 | } |
| 1008 | if( referred_from_login() ){ |
| 1009 | style_header("%s Archive Download", zType); |
| 1010 | @ <form action='%R/%s(g.zPath)/%h(zName).%s(g.zPath)'> |
| 1011 | cgi_query_parameters_to_hidden(); |
| 1012 | @ <p>%s(zType) Archive named <b>%h(zName).%s(g.zPath)</b> |
| 1013 | @ holding the content of check-in <b>%h(zRid)</b>: |
| 1014 | @ <input type="submit" value="Download"> |
| 1015 |
| --- src/zip.c | |
| +++ src/zip.c | |
| @@ -990,11 +990,11 @@ | |
| 990 | zKey = blob_str(&cacheKey); |
| 991 | etag_check(ETAG_HASH, zKey); |
| 992 | |
| 993 | style_set_current_feature("zip"); |
| 994 | if( P("debug")!=0 ){ |
| 995 | style_header("%h Archive Generator Debug Screen", zType); |
| 996 | @ zName = "%h(zName)"<br> |
| 997 | @ rid = %d(rid)<br> |
| 998 | if( zInclude ){ |
| 999 | @ zInclude = "%h(zInclude)"<br> |
| 1000 | } |
| @@ -1004,11 +1004,11 @@ | |
| 1004 | @ zKey = "%h(zKey)" |
| 1005 | style_finish_page(); |
| 1006 | return; |
| 1007 | } |
| 1008 | if( referred_from_login() ){ |
| 1009 | style_header("%h Archive Download", zType); |
| 1010 | @ <form action='%R/%s(g.zPath)/%h(zName).%s(g.zPath)'> |
| 1011 | cgi_query_parameters_to_hidden(); |
| 1012 | @ <p>%s(zType) Archive named <b>%h(zName).%s(g.zPath)</b> |
| 1013 | @ holding the content of check-in <b>%h(zRid)</b>: |
| 1014 | @ <input type="submit" value="Download"> |
| 1015 |
+30
-3
| --- tools/codecheck1.c | ||
| +++ tools/codecheck1.c | ||
| @@ -325,10 +325,30 @@ | ||
| 325 | 325 | if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1; |
| 326 | 326 | |
| 327 | 327 | return 0; |
| 328 | 328 | } |
| 329 | 329 | |
| 330 | + | |
| 331 | +/* | |
| 332 | +** Return true if the input is an argument that is safe to use with %s | |
| 333 | +** while building HTML output. | |
| 334 | +*/ | |
| 335 | +static int is_html_safe(const char *z){ | |
| 336 | + /* A string literal is safe for use with %s */ | |
| 337 | + if( is_string_lit(z) ) return 1; | |
| 338 | + | |
| 339 | + /* Expressions of the form: EXPR ? "..." : "...." can count as | |
| 340 | + ** a string literal. */ | |
| 341 | + if( is_string_expr(z) ) return 1; | |
| 342 | + | |
| 343 | + /* If the "safe-for-%s" comment appears in the argument, then | |
| 344 | + ** let it through */ | |
| 345 | + if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1; | |
| 346 | + | |
| 347 | + return 0; | |
| 348 | +} | |
| 349 | + | |
| 330 | 350 | /* |
| 331 | 351 | ** Return true if the input is an argument that is never safe for use |
| 332 | 352 | ** with %s. |
| 333 | 353 | */ |
| 334 | 354 | static int never_safe(const char *z){ |
| @@ -348,10 +368,11 @@ | ||
| 348 | 368 | #define FMT_SQL 0x00001 /* Generator for SQL text */ |
| 349 | 369 | #define FMT_HTML 0x00002 /* Generator for HTML text */ |
| 350 | 370 | #define FMT_URL 0x00004 /* Generator for URLs */ |
| 351 | 371 | #define FMT_JSON 0x00008 /* Generator for JSON */ |
| 352 | 372 | #define FMT_SAFE 0x00010 /* Generator for human-readable text */ |
| 373 | +#define FMT_FIXME FMT_SAFE | |
| 353 | 374 | #define FMT_LIT 0x00020 /* Just verify that a string literal */ |
| 354 | 375 | #define FMT_PX 0x00040 /* Must have a literal prefix in format string */ |
| 355 | 376 | |
| 356 | 377 | /* |
| 357 | 378 | ** A list of internal Fossil interfaces that take a printf-style format |
| @@ -369,15 +390,15 @@ | ||
| 369 | 390 | { "backoffice_log", 1, FMT_SAFE }, |
| 370 | 391 | { "blob_append_sql", 2, FMT_SQL }, |
| 371 | 392 | { "blob_appendf", 2, FMT_SAFE }, |
| 372 | 393 | { "cgi_debug", 1, FMT_SAFE }, |
| 373 | 394 | { "cgi_panic", 1, FMT_SAFE }, |
| 374 | - { "cgi_printf", 1, FMT_HTML }, | |
| 375 | - { "cgi_printf_header", 1, FMT_HTML }, | |
| 395 | + { "cgi_printf", 1, FMT_FIXME }, | |
| 396 | + { "cgi_printf_header", 1, FMT_FIXME }, | |
| 376 | 397 | { "cgi_redirectf", 1, FMT_URL }, |
| 377 | 398 | { "chref", 2, FMT_URL }, |
| 378 | - { "CX", 1, FMT_HTML }, | |
| 399 | + { "CX", 1, FMT_FIXME }, | |
| 379 | 400 | { "db_blob", 2, FMT_SQL }, |
| 380 | 401 | { "db_debug", 1, FMT_SQL }, |
| 381 | 402 | { "db_double", 2, FMT_SQL }, |
| 382 | 403 | { "db_err", 1, FMT_SAFE }, |
| 383 | 404 | { "db_exists", 1, FMT_SQL }, |
| @@ -609,10 +630,14 @@ | ||
| 609 | 630 | |
| 610 | 631 | }else if( (fmtFlags & FMT_SQL)!=0 && !is_sql_safe(zExpr) ){ |
| 611 | 632 | printf("%s:%d: Argument %d to %.*s() not safe for SQL\n", |
| 612 | 633 | zFilename, lnFCall, i+fmtArg, szFName, zFCall); |
| 613 | 634 | nErr++; |
| 635 | + }else if( (fmtFlags & FMT_HTML)!=0 && !is_html_safe(zExpr) ){ | |
| 636 | + printf("%s:%d: Argument %d to %.*s() not safe for HTML\n", | |
| 637 | + zFilename, lnFCall, i+fmtArg, szFName, zFCall); | |
| 638 | + nErr++; | |
| 614 | 639 | } |
| 615 | 640 | } |
| 616 | 641 | } |
| 617 | 642 | } |
| 618 | 643 | } |
| @@ -662,10 +687,12 @@ | ||
| 662 | 687 | }else if( z[0]=='}' ){ |
| 663 | 688 | nCurly--; |
| 664 | 689 | }else if( nCurly>0 && z[0]=='(' && ePrev==TK_ID |
| 665 | 690 | && (x = isFormatFunc(zPrev,szPrev,&fmtFlags))>0 ){ |
| 666 | 691 | nErr += checkFormatFunc(zName, zPrev, lnPrev, x, fmtFlags); |
| 692 | + }else if( eVerbose>=3 ){ | |
| 693 | + printf("TOKEN: [%.*s]\n", szToken, z); | |
| 667 | 694 | } |
| 668 | 695 | } |
| 669 | 696 | zPrev = z; |
| 670 | 697 | ePrev = eToken; |
| 671 | 698 | szPrev = szToken; |
| 672 | 699 |
| --- tools/codecheck1.c | |
| +++ tools/codecheck1.c | |
| @@ -325,10 +325,30 @@ | |
| 325 | if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1; |
| 326 | |
| 327 | return 0; |
| 328 | } |
| 329 | |
| 330 | /* |
| 331 | ** Return true if the input is an argument that is never safe for use |
| 332 | ** with %s. |
| 333 | */ |
| 334 | static int never_safe(const char *z){ |
| @@ -348,10 +368,11 @@ | |
| 348 | #define FMT_SQL 0x00001 /* Generator for SQL text */ |
| 349 | #define FMT_HTML 0x00002 /* Generator for HTML text */ |
| 350 | #define FMT_URL 0x00004 /* Generator for URLs */ |
| 351 | #define FMT_JSON 0x00008 /* Generator for JSON */ |
| 352 | #define FMT_SAFE 0x00010 /* Generator for human-readable text */ |
| 353 | #define FMT_LIT 0x00020 /* Just verify that a string literal */ |
| 354 | #define FMT_PX 0x00040 /* Must have a literal prefix in format string */ |
| 355 | |
| 356 | /* |
| 357 | ** A list of internal Fossil interfaces that take a printf-style format |
| @@ -369,15 +390,15 @@ | |
| 369 | { "backoffice_log", 1, FMT_SAFE }, |
| 370 | { "blob_append_sql", 2, FMT_SQL }, |
| 371 | { "blob_appendf", 2, FMT_SAFE }, |
| 372 | { "cgi_debug", 1, FMT_SAFE }, |
| 373 | { "cgi_panic", 1, FMT_SAFE }, |
| 374 | { "cgi_printf", 1, FMT_HTML }, |
| 375 | { "cgi_printf_header", 1, FMT_HTML }, |
| 376 | { "cgi_redirectf", 1, FMT_URL }, |
| 377 | { "chref", 2, FMT_URL }, |
| 378 | { "CX", 1, FMT_HTML }, |
| 379 | { "db_blob", 2, FMT_SQL }, |
| 380 | { "db_debug", 1, FMT_SQL }, |
| 381 | { "db_double", 2, FMT_SQL }, |
| 382 | { "db_err", 1, FMT_SAFE }, |
| 383 | { "db_exists", 1, FMT_SQL }, |
| @@ -609,10 +630,14 @@ | |
| 609 | |
| 610 | }else if( (fmtFlags & FMT_SQL)!=0 && !is_sql_safe(zExpr) ){ |
| 611 | printf("%s:%d: Argument %d to %.*s() not safe for SQL\n", |
| 612 | zFilename, lnFCall, i+fmtArg, szFName, zFCall); |
| 613 | nErr++; |
| 614 | } |
| 615 | } |
| 616 | } |
| 617 | } |
| 618 | } |
| @@ -662,10 +687,12 @@ | |
| 662 | }else if( z[0]=='}' ){ |
| 663 | nCurly--; |
| 664 | }else if( nCurly>0 && z[0]=='(' && ePrev==TK_ID |
| 665 | && (x = isFormatFunc(zPrev,szPrev,&fmtFlags))>0 ){ |
| 666 | nErr += checkFormatFunc(zName, zPrev, lnPrev, x, fmtFlags); |
| 667 | } |
| 668 | } |
| 669 | zPrev = z; |
| 670 | ePrev = eToken; |
| 671 | szPrev = szToken; |
| 672 |
| --- tools/codecheck1.c | |
| +++ tools/codecheck1.c | |
| @@ -325,10 +325,30 @@ | |
| 325 | if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1; |
| 326 | |
| 327 | return 0; |
| 328 | } |
| 329 | |
| 330 | |
| 331 | /* |
| 332 | ** Return true if the input is an argument that is safe to use with %s |
| 333 | ** while building HTML output. |
| 334 | */ |
| 335 | static int is_html_safe(const char *z){ |
| 336 | /* A string literal is safe for use with %s */ |
| 337 | if( is_string_lit(z) ) return 1; |
| 338 | |
| 339 | /* Expressions of the form: EXPR ? "..." : "...." can count as |
| 340 | ** a string literal. */ |
| 341 | if( is_string_expr(z) ) return 1; |
| 342 | |
| 343 | /* If the "safe-for-%s" comment appears in the argument, then |
| 344 | ** let it through */ |
| 345 | if( strstr(z, "/*safe-for-%s*/")!=0 ) return 1; |
| 346 | |
| 347 | return 0; |
| 348 | } |
| 349 | |
| 350 | /* |
| 351 | ** Return true if the input is an argument that is never safe for use |
| 352 | ** with %s. |
| 353 | */ |
| 354 | static int never_safe(const char *z){ |
| @@ -348,10 +368,11 @@ | |
| 368 | #define FMT_SQL 0x00001 /* Generator for SQL text */ |
| 369 | #define FMT_HTML 0x00002 /* Generator for HTML text */ |
| 370 | #define FMT_URL 0x00004 /* Generator for URLs */ |
| 371 | #define FMT_JSON 0x00008 /* Generator for JSON */ |
| 372 | #define FMT_SAFE 0x00010 /* Generator for human-readable text */ |
| 373 | #define FMT_FIXME FMT_SAFE |
| 374 | #define FMT_LIT 0x00020 /* Just verify that a string literal */ |
| 375 | #define FMT_PX 0x00040 /* Must have a literal prefix in format string */ |
| 376 | |
| 377 | /* |
| 378 | ** A list of internal Fossil interfaces that take a printf-style format |
| @@ -369,15 +390,15 @@ | |
| 390 | { "backoffice_log", 1, FMT_SAFE }, |
| 391 | { "blob_append_sql", 2, FMT_SQL }, |
| 392 | { "blob_appendf", 2, FMT_SAFE }, |
| 393 | { "cgi_debug", 1, FMT_SAFE }, |
| 394 | { "cgi_panic", 1, FMT_SAFE }, |
| 395 | { "cgi_printf", 1, FMT_FIXME }, |
| 396 | { "cgi_printf_header", 1, FMT_FIXME }, |
| 397 | { "cgi_redirectf", 1, FMT_URL }, |
| 398 | { "chref", 2, FMT_URL }, |
| 399 | { "CX", 1, FMT_FIXME }, |
| 400 | { "db_blob", 2, FMT_SQL }, |
| 401 | { "db_debug", 1, FMT_SQL }, |
| 402 | { "db_double", 2, FMT_SQL }, |
| 403 | { "db_err", 1, FMT_SAFE }, |
| 404 | { "db_exists", 1, FMT_SQL }, |
| @@ -609,10 +630,14 @@ | |
| 630 | |
| 631 | }else if( (fmtFlags & FMT_SQL)!=0 && !is_sql_safe(zExpr) ){ |
| 632 | printf("%s:%d: Argument %d to %.*s() not safe for SQL\n", |
| 633 | zFilename, lnFCall, i+fmtArg, szFName, zFCall); |
| 634 | nErr++; |
| 635 | }else if( (fmtFlags & FMT_HTML)!=0 && !is_html_safe(zExpr) ){ |
| 636 | printf("%s:%d: Argument %d to %.*s() not safe for HTML\n", |
| 637 | zFilename, lnFCall, i+fmtArg, szFName, zFCall); |
| 638 | nErr++; |
| 639 | } |
| 640 | } |
| 641 | } |
| 642 | } |
| 643 | } |
| @@ -662,10 +687,12 @@ | |
| 687 | }else if( z[0]=='}' ){ |
| 688 | nCurly--; |
| 689 | }else if( nCurly>0 && z[0]=='(' && ePrev==TK_ID |
| 690 | && (x = isFormatFunc(zPrev,szPrev,&fmtFlags))>0 ){ |
| 691 | nErr += checkFormatFunc(zName, zPrev, lnPrev, x, fmtFlags); |
| 692 | }else if( eVerbose>=3 ){ |
| 693 | printf("TOKEN: [%.*s]\n", szToken, z); |
| 694 | } |
| 695 | } |
| 696 | zPrev = z; |
| 697 | ePrev = eToken; |
| 698 | szPrev = szToken; |
| 699 |