Fossil SCM
Add the /test-title webpage. Accessible to administrators only.
Commit
af57f63dee2822ad784612f9d07b02fadb3e5812cc68e1db1776d0881378b980
Parent
0b24a45f49f9abb…
1 file changed
+33
+33
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -1340,10 +1340,43 @@ | ||
| 1340 | 1340 | && !login_has_capability(&c, 1, 0) ) zCap[i++] = c; |
| 1341 | 1341 | } |
| 1342 | 1342 | zCap[i] = 0; |
| 1343 | 1343 | return zCap; |
| 1344 | 1344 | } |
| 1345 | + | |
| 1346 | +/* | |
| 1347 | +** WEBPAGE: test-title | |
| 1348 | +** | |
| 1349 | +** Render a test page in which the page title is set by the "title" | |
| 1350 | +** query parameter. This can be used to show that HTML or Javascript | |
| 1351 | +** content in the title does not leak through into generated page, resulting | |
| 1352 | +** in an XSS issue. | |
| 1353 | +** | |
| 1354 | +** Due to the potential for abuse, this webpage is only available to | |
| 1355 | +** administrators. | |
| 1356 | +*/ | |
| 1357 | +void page_test_title(void){ | |
| 1358 | + const char *zTitle; | |
| 1359 | + login_check_credentials(); | |
| 1360 | + if( !g.perm.Admin ){ | |
| 1361 | + login_needed(0); | |
| 1362 | + } | |
| 1363 | + zTitle = P("title"); | |
| 1364 | + if( zTitle==0 ){ | |
| 1365 | + zTitle = "(No Title)"; | |
| 1366 | + } | |
| 1367 | + style_header("%s", zTitle); | |
| 1368 | + @ <p> | |
| 1369 | + @ This page sets its title to the value of the "title" query parameter. | |
| 1370 | + @ The form below is a convenient way to set the title query parameter: | |
| 1371 | + @ | |
| 1372 | + @ <form method="GET"> | |
| 1373 | + @ Title: <input type="text" size="50" name="title" value="%h(zTitle)"> | |
| 1374 | + @ <input type="submit" value="Submit"> | |
| 1375 | + @ </form> | |
| 1376 | + style_finish_page(); | |
| 1377 | +} | |
| 1345 | 1378 | |
| 1346 | 1379 | /* |
| 1347 | 1380 | ** WEBPAGE: test_env |
| 1348 | 1381 | ** |
| 1349 | 1382 | ** Display CGI-variables and other aspects of the run-time |
| 1350 | 1383 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -1340,10 +1340,43 @@ | |
| 1340 | && !login_has_capability(&c, 1, 0) ) zCap[i++] = c; |
| 1341 | } |
| 1342 | zCap[i] = 0; |
| 1343 | return zCap; |
| 1344 | } |
| 1345 | |
| 1346 | /* |
| 1347 | ** WEBPAGE: test_env |
| 1348 | ** |
| 1349 | ** Display CGI-variables and other aspects of the run-time |
| 1350 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -1340,10 +1340,43 @@ | |
| 1340 | && !login_has_capability(&c, 1, 0) ) zCap[i++] = c; |
| 1341 | } |
| 1342 | zCap[i] = 0; |
| 1343 | return zCap; |
| 1344 | } |
| 1345 | |
| 1346 | /* |
| 1347 | ** WEBPAGE: test-title |
| 1348 | ** |
| 1349 | ** Render a test page in which the page title is set by the "title" |
| 1350 | ** query parameter. This can be used to show that HTML or Javascript |
| 1351 | ** content in the title does not leak through into generated page, resulting |
| 1352 | ** in an XSS issue. |
| 1353 | ** |
| 1354 | ** Due to the potential for abuse, this webpage is only available to |
| 1355 | ** administrators. |
| 1356 | */ |
| 1357 | void page_test_title(void){ |
| 1358 | const char *zTitle; |
| 1359 | login_check_credentials(); |
| 1360 | if( !g.perm.Admin ){ |
| 1361 | login_needed(0); |
| 1362 | } |
| 1363 | zTitle = P("title"); |
| 1364 | if( zTitle==0 ){ |
| 1365 | zTitle = "(No Title)"; |
| 1366 | } |
| 1367 | style_header("%s", zTitle); |
| 1368 | @ <p> |
| 1369 | @ This page sets its title to the value of the "title" query parameter. |
| 1370 | @ The form below is a convenient way to set the title query parameter: |
| 1371 | @ |
| 1372 | @ <form method="GET"> |
| 1373 | @ Title: <input type="text" size="50" name="title" value="%h(zTitle)"> |
| 1374 | @ <input type="submit" value="Submit"> |
| 1375 | @ </form> |
| 1376 | style_finish_page(); |
| 1377 | } |
| 1378 | |
| 1379 | /* |
| 1380 | ** WEBPAGE: test_env |
| 1381 | ** |
| 1382 | ** Display CGI-variables and other aspects of the run-time |
| 1383 |