From: Felix Dörre <felix@dogcraft.de>
Date: Thu, 31 Jul 2014 21:48:47 +0000 (+0200)
Subject: Escape template var output.
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=081aaab69d87705ed2aec541fb936df7850bf09b

Escape template var output.
---

diff --git a/src/org/cacert/gigi/Language.java b/src/org/cacert/gigi/Language.java
index 6c03b19c..64831ebd 100644
--- a/src/org/cacert/gigi/Language.java
+++ b/src/org/cacert/gigi/Language.java
@@ -10,7 +10,6 @@ import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
-import org.cacert.gigi.util.HTMLEncoder;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -43,7 +42,7 @@ public class Language {
             Element e = (Element) nl.item(i);
             Element id = (Element) e.getElementsByTagName("id").item(0);
             Element msg = (Element) e.getElementsByTagName("msg").item(0);
-            translations.put(id.getTextContent(), HTMLEncoder.encodeHTML(msg.getTextContent()));
+            translations.put(id.getTextContent(), msg.getTextContent());
         }
         System.out.println(translations.size() + " strings loaded.");
     }
diff --git a/src/org/cacert/gigi/output/template/OutputVariableCommand.java b/src/org/cacert/gigi/output/template/OutputVariableCommand.java
index f3c424ab..1247891a 100644
--- a/src/org/cacert/gigi/output/template/OutputVariableCommand.java
+++ b/src/org/cacert/gigi/output/template/OutputVariableCommand.java
@@ -10,12 +10,20 @@ public final class OutputVariableCommand implements Outputable {
 
     private final String raw;
 
+    private final boolean escaped;
+
     public OutputVariableCommand(String raw) {
-        this.raw = raw;
+        if (raw.charAt(0) == '!') {
+            escaped = true;
+            this.raw = raw.substring(1);
+        } else {
+            escaped = true;
+            this.raw = raw;
+        }
     }
 
     @Override
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
-        Template.outputVar(out, l, vars, raw);
+        Template.outputVar(out, l, vars, raw, escaped);
     }
 }
diff --git a/src/org/cacert/gigi/output/template/SprintfCommand.java b/src/org/cacert/gigi/output/template/SprintfCommand.java
index 1a3c2908..f0a3f359 100644
--- a/src/org/cacert/gigi/output/template/SprintfCommand.java
+++ b/src/org/cacert/gigi/output/template/SprintfCommand.java
@@ -6,6 +6,7 @@ import java.util.Map;
 
 import org.cacert.gigi.Language;
 import org.cacert.gigi.output.Outputable;
+import org.cacert.gigi.util.HTMLEncoder;
 
 public final class SprintfCommand implements Outputable {
 
@@ -22,10 +23,15 @@ public final class SprintfCommand implements Outputable {
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
         String[] parts = l.getTranslation(text).split("%s");
         String[] myvars = store.toArray(new String[store.size()]);
-        out.print(parts[0]);
+        out.print(HTMLEncoder.encodeHTML(parts[0]));
         for (int j = 1; j < parts.length; j++) {
-            Template.outputVar(out, l, vars, myvars[j - 1].substring(1));
-            out.print(parts[j]);
+            String var = myvars[j - 1];
+            if (var.startsWith("$!")) {
+                Template.outputVar(out, l, vars, myvars[j - 1].substring(2), true);
+            } else {
+                Template.outputVar(out, l, vars, myvars[j - 1].substring(1), false);
+            }
+            out.print(HTMLEncoder.encodeHTML(parts[j]));
         }
     }
 }
diff --git a/src/org/cacert/gigi/output/template/Template.java b/src/org/cacert/gigi/output/template/Template.java
index 2702f6c1..1949d5c6 100644
--- a/src/org/cacert/gigi/output/template/Template.java
+++ b/src/org/cacert/gigi/output/template/Template.java
@@ -17,6 +17,7 @@ import java.util.regex.Pattern;
 import org.cacert.gigi.DevelLauncher;
 import org.cacert.gigi.Language;
 import org.cacert.gigi.output.Outputable;
+import org.cacert.gigi.util.HTMLEncoder;
 
 public class Template implements Outputable {
 
@@ -150,7 +151,7 @@ public class Template implements Outputable {
         data.output(out, l, vars);
     }
 
-    protected static void outputVar(PrintWriter out, Language l, Map<String, Object> vars, String varname) {
+    protected static void outputVar(PrintWriter out, Language l, Map<String, Object> vars, String varname, boolean unescaped) {
         Object s = vars.get(varname);
 
         if (s == null) {
@@ -159,7 +160,7 @@ public class Template implements Outputable {
         if (s instanceof Outputable) {
             ((Outputable) s).output(out, l, vars);
         } else {
-            out.print(s);
+            out.print(s == null ? "null" : (unescaped ? s.toString() : HTMLEncoder.encodeHTML(s.toString())));
         }
     }
 }
diff --git a/src/org/cacert/gigi/output/template/TranslateCommand.java b/src/org/cacert/gigi/output/template/TranslateCommand.java
index 18bf4476..0dad2473 100644
--- a/src/org/cacert/gigi/output/template/TranslateCommand.java
+++ b/src/org/cacert/gigi/output/template/TranslateCommand.java
@@ -5,6 +5,7 @@ import java.util.Map;
 
 import org.cacert.gigi.Language;
 import org.cacert.gigi.output.Outputable;
+import org.cacert.gigi.util.HTMLEncoder;
 
 public final class TranslateCommand implements Outputable {
 
@@ -16,6 +17,6 @@ public final class TranslateCommand implements Outputable {
 
     @Override
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
-        out.print(l.getTranslation(raw));
+        out.print(HTMLEncoder.encodeHTML(l.getTranslation(raw)));
     }
 }
diff --git a/src/org/cacert/gigi/pages/account/IssueCertificateForm.templ b/src/org/cacert/gigi/pages/account/IssueCertificateForm.templ
index 16f038d4..9d94937c 100644
--- a/src/org/cacert/gigi/pages/account/IssueCertificateForm.templ
+++ b/src/org/cacert/gigi/pages/account/IssueCertificateForm.templ
@@ -98,7 +98,7 @@
       <input type="checkbox" id="CCA" name="CCA" />
     </td>
     <td align="left">
-      <label for="CCA"><strong><?=s,$CCA,I accept the CAcert Community Agreement (%s).?> </strong><br />
+      <label for="CCA"><strong><?=s,$!CCA,I accept the CAcert Community Agreement (%s).?> </strong><br />
       <?=_Please note: You need to accept the CCA to proceed.?></label>
     </td>
   </tr>
diff --git a/src/org/cacert/gigi/pages/main/Signup.templ b/src/org/cacert/gigi/pages/main/Signup.templ
index 749ab26f..6dfbfc22 100644
--- a/src/org/cacert/gigi/pages/main/Signup.templ
+++ b/src/org/cacert/gigi/pages/main/Signup.templ
@@ -62,10 +62,10 @@
   <tr>
     <td valign="top"><?=_Alert me if?>: </td>
     <td align="left">
-        <input type="checkbox" name="general" value="1"<?=$general?>><?=_General Announcements?><br>
-	<input type="checkbox" name="country" value="1"<?=$country?>><?=_Country Announcements?><br>
-	<input type="checkbox" name="regional" value="1"<?=$regional?>><?=_Regional Announcements?><br>
-	<input type="checkbox" name="radius" value="1"<?=$radius?>><?=_Within 200km Announcements?></td>
+        <input type="checkbox" name="general" value="1"<?=$!general?>><?=_General Announcements?><br>
+	<input type="checkbox" name="country" value="1"<?=$!country?>><?=_Country Announcements?><br>
+	<input type="checkbox" name="regional" value="1"<?=$!regional?>><?=_Regional Announcements?><br>
+	<input type="checkbox" name="radius" value="1"<?=$!radius?>><?=_Within 200km Announcements?></td>
     <td>&nbsp;</td>
   </tr>