s4
changeset 760:f40036e2598b feature-annex
merged
author | HIROSE Yuuji <yuuji@gentei.org> |
---|---|
date | Sun, 07 Jun 2020 06:21:02 +0900 |
parents | 262983fbc2ac f9f88278f6a0 |
children | bcd97ab3d4f1 |
files | s4-funcs.sh |
diffstat | 4 files changed, 58 insertions(+), 41 deletions(-) [+] |
line diff
1.1 --- a/examples/sns/form/article.def Sat Jun 06 16:33:23 2020 +0900 1.2 +++ b/examples/sns/form/article.def Sun Jun 07 06:21:02 2020 +0900 1.3 @@ -1,5 +1,5 @@ 1.4 シリアル:id:p:serial: 1.5 -blogID:blogid:f:blog(id): 1.6 +blogID:blogid:pf:blog(id): 1.7 筆者:author:s:author: 1.8 時刻:ctime:s:stamp: 1.9 参照元:parent:s:parent:
2.1 --- a/mpsplit.pl Sat Jun 06 16:33:23 2020 +0900 2.2 +++ b/mpsplit.pl Sun Jun 07 06:21:02 2020 +0900 2.3 @@ -30,7 +30,7 @@ 2.4 if ($fn =~ /^([^\/]*)$/) { 2.5 $fn = $1; 2.6 } 2.7 - $fn =~ s/ /_/g; 2.8 + $fn =~ s/[ <>&\#'\"\&|*?]/_/g; 2.9 $fn =~ s,.*[/\\],,; 2.10 open(OUT, ">$dir/$fn"); 2.11 print OUT $body;
3.1 --- a/s4-blog.sh Sat Jun 06 16:33:23 2020 +0900 3.2 +++ b/s4-blog.sh Sun Jun 07 06:21:02 2020 +0900 3.3 @@ -94,8 +94,9 @@ 3.4 fi 3.5 test -z "$emails" && return 3.6 err notify: user=$user Admins=`getgroupadmins $blogowner` Mode=$mode Emails="[$emails]" 3.7 + quotedowner=`echo $blogowner | nkf -jM | tr -d '\n"'` 3.8 MAIL_FROM=$noreply_from \ 3.9 - SMAIL_TO="`echo "$blogowner" | nkf -jM | tr -d '\n'` readers <$noreply>" \ 3.10 + SMAIL_TO="\"$quotedowner\" readers <$noreply>" \ 3.11 smail "$emails" "${action}通知 $urlbase"<<EOF 3.12 [$blogtitle]板に${action}がありました。 3.13 ※※※このメイルには返信できません(返信は次のURLへ)※※※ 3.14 @@ -413,7 +414,7 @@ 3.15 cat<<EOF 3.16 <tr id="$id"> 3.17 <td class="$tdcls">${picon}__EDIT__<a href="#$aid">#$aid</a> 3.18 -<a href="$hlink+$uid" title="${author%@*}">$uname</a> 3.19 +<a href="$hlink+$uid" title="${author%@*}">`echo $uname|htmlescape`</a> 3.20 <span title="$tm">${reki:-$tm}</span> 3.21 <__NOTIFY__></td> 3.22 EOF 3.23 @@ -544,7 +545,7 @@ 3.24 } 3.25 3.26 lshandout() { 3.27 - # $1=rowid of blog 3.28 + # $1=rowid of blog (numericalized in s4.cgi) 3.29 blog_writable $1 $user 3.30 rc=$? # =0: writable, $BLOG_NOTMEM bit set => not member 3.31 if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then 3.32 @@ -553,10 +554,11 @@ 3.33 time=`getvalbyid blog ctime $1|colrm 11` 3.34 owner=`getvalbyid blog owner $1` 3.35 title=`getvalbyid blog title $1` 3.36 - ge=`gecos $owner` 3.37 + ge=`gecos "$owner"` 3.38 + htmlowner=`echo ${ge:-$owner}|htmlescape` 3.39 fh=$tmpd/formhead 3.40 - echo "$time [$title]@${ge:-$owner}" > $fh 3.41 - lshandoutsub $owner "$@" \ 3.42 + echo "$time [$title]@$htmlowner" > $fh 3.43 + lshandoutsub "$owner" "$@" \ 3.44 |_m4 -D_TITLE_="提出状況" \ 3.45 -D_FORMHEAD_="syscmd(cat $fh)" \ 3.46 -D_FORM_="syscmd(cat)" -D_DUMPHEAD_= -D_DUMPTABLE_= \ 3.47 @@ -1058,15 +1060,16 @@ 3.48 kwd=`echo "$kwd"|htmlescape` 3.49 owner=`getpar owner` 3.50 owner=${owner:-$1} 3.51 + grid=`getpar grid` 3.52 msg="" 3.53 - if [ -n "$owner" ]; then 3.54 + if [ -n "$grid" ]; then 3.55 + grp=`getgroupbyid "$grid"` 3.56 + qgrp=`sqlquote "$grp"` 3.57 + cond="WHERE key='owner' AND val=$qgrp" 3.58 + msg="(`linkhome $grid` グループから)" 3.59 + elif [ -n "$owner" ]; then 3.60 cond="where key='owner' and val='$owner'" 3.61 - if isuser $owner; then 3.62 - msg="(`linkhome $owner` さんの記録から)" 3.63 - else 3.64 - linkhome $owner 1>&3 3.65 - msg="(`linkhome $owner` グループから)" 3.66 - fi 3.67 + msg="(`linkhome $owner` さんの記録から)" 3.68 elif { author=`getpar author`; test -n "$author"; }; then 3.69 atptn=`sqlquotestr $author` 3.70 #kc="$kc${kc:+ AND }author=$atptn" 3.71 @@ -1154,7 +1157,7 @@ 3.72 } 3.73 listblog() ( 3.74 # $1={user,group} 3.75 - qow=`sqlquote $1` 3.76 + qow=`sqlquote "$1"` 3.77 cond="where a.id in (select id from blog_s where key='owner' and val=$qow) order by ctime desc" 3.78 cgi_form searchart<<EOF 3.79 <label>`cgi_text kwd`という語を含む記事をこの一覧から検索</label> 3.80 @@ -1165,7 +1168,7 @@ 3.81 ) 3.82 3.83 blog_addentry() { 3.84 - # $1=GRPname(if it is a group) 3.85 + # $1=GRProwID(if it is a group) 3.86 grprowid=`numericalize $1` 3.87 rowid=`getpar rowid` 3.88 ## err blog_addentry0: rowid=$rowid 3.89 @@ -1174,9 +1177,14 @@ 3.90 else 3.91 owner=`getpar owner` 3.92 fi 3.93 + htmlowner=`echo $owner|htmlescape` 3.94 err blog-add: \$1=$grprowid rowid=$rowid owner=$owner 3.95 if isgroup "$owner"; then 3.96 - groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner 3.97 + if [ -z "$grprowid" ]; then 3.98 + qgrp=`sqlquote "$owner"` # Inefficient... 3.99 + grprowid=`query "SELECT rowid FROM grp WHERE gname=$qgrp;"` 3.100 + fi 3.101 + groupmode=1 listing=$owner guide="[`linkhome $grprowid`]" GF_OWNER=$owner 3.102 else 3.103 usermode=1 listing=$user guide="[個人]" 3.104 fi 3.105 @@ -1215,7 +1223,7 @@ 3.106 fi 3.107 fi 3.108 echo "${guide}新規話題作成" > $tmpd/title.$$ 3.109 - listblog $listing > $tmpd/listblog.$$ 3.110 + listblog "$listing" > $tmpd/listblog.$$ 3.111 genform $formdir/blog.def \ 3.112 | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \ 3.113 -D_FORMHEAD_="序文は簡単に詳しくはコメントに" \ 3.114 @@ -1235,6 +1243,7 @@ 3.115 fi 3.116 title=`getvalbyid blog title $rowid` 3.117 owner=`getvalbyid blog owner $rowid` 3.118 + htmlowner=`echo $owner|htmlescape` 3.119 qowner=`sqlquotestr "$owner"` 3.120 if [ -z "$title" ]; then 3.121 echo "日記番号指定が無効です。" | html p 3.122 @@ -1256,7 +1265,7 @@ 3.123 else 3.124 grprowid=`query "select rowid from grp where gname=$qowner;"` 3.125 subtitle="グループ 3.126 - <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$owner</a> での話題 3.127 + <a href=\"?grp+$grprowid\" accesskey=\"h\" title=\"H\">$htmlowner</a> での話題 3.128 `query \"SELECT printf('(チーム:%s)', val)\ 3.129 FROM blog_s 3.130 WHERE id=(SELECT id FROM blog WHERE rowid=$rowid) 3.131 @@ -1276,7 +1285,7 @@ 3.132 blog_notify_reply $rowid $user "$text" $act 3.133 if [ -n "$grprowid" ]; then 3.134 qgrp=$(sqlquote "$owner") 3.135 - dbsetbyid grp $owner wtime "`date '+%F %T'`" 3.136 + dbsetbyid grp "$owner" wtime "`date '+%F %T'`" 3.137 else 3.138 dbsetbyid user "$user" wtime "`date '+%F %T'`" 3.139 fi 3.140 @@ -1291,7 +1300,7 @@ 3.141 fi 3.142 fi 3.143 def=$formdir/article.def 3.144 - echo "$title" > $tmpd/title.$$ 3.145 + echo "$title" | htmlescape > $tmpd/title.$$ 3.146 echo "$subtitle$frozen_flag" > $tmpd/subtitle.$$ 3.147 ${BLOG_SHOW:-blog_showentry} blog $rowid \ 3.148 | _m4 -D_TITLE_="spaste(\`$tmpd/title.$$')" \
4.1 --- a/s4-funcs.sh Sat Jun 06 16:33:23 2020 +0900 4.2 +++ b/s4-funcs.sh Sun Jun 07 06:21:02 2020 +0900 4.3 @@ -575,15 +575,18 @@ 4.4 [ -n "`query $sql`" ] || return 2 4.5 } 4.6 linkhome() { 4.7 - # $1=UserOrGroup 4.8 - echo -n '<a href="?' 4.9 + # $1=UserOrGroupRowid 4.10 + echo -n "<a href=\"$myname?" 4.11 if isuser $1; then 4.12 err "select 'home+'||rowid from user where name='$1';" 4.13 query "select 'home+'||rowid from user where name='$1';" 4.14 + name=`gecos $1|htmlescape` 4.15 else 4.16 + _grid=`numericalize "$1"` 4.17 echo -n "grp+$1" 4.18 + name=`query "SELECT gname FROM grp WHERE rowid=$_grid;"|htmlescape` 4.19 fi 4.20 - echo "\">`gecos $1`</a>" 4.21 + echo "\">$name</a>" 4.22 } 4.23 hreflink() { 4.24 # s4 specific notation: 4.25 @@ -1058,7 +1061,8 @@ 4.26 } 4.27 htmlescape() { 4.28 sed -e 's/\&/\&/g' -e 's/"/\"/g' -e "s/'/\'/g" \ 4.29 - -e "s/</\</g; s/>/\>/g" -e 's/`/\`/g' -e 's/(/\(/g' 4.30 + -e "s/</\</g; s/>/\>/g" -e 's/`/\`/g' -e 's/(/\(/g' \ 4.31 + -e 's/`/\`/' 4.32 } 4.33 enascii() { 4.34 if [ -z "$enascii" ]; then 4.35 @@ -1266,8 +1270,11 @@ 4.36 rcptheader=`echo $1|tr ' ' '\n'|sort -u|sed '2,$s/^/To: /g'` 4.37 subj=`echo $2|nkf -jM|tr -d '\n'` 4.38 sender=${SENDER:-$admin} 4.39 + # Do not call m4 with directly passing text 4.40 + _r=$tmpd/rcpt 4.41 + echo -n "${SMAIL_TO:-$rcptheader}" > $_r 4.42 replyto=${REPLYTO:+"Reply-to: $REPLYTO$LF"} 4.43 - (_m4 -D_RCPT_="${SMAIL_TO:-$rcptheader}" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4 4.44 + (_m4 -D_RCPT_="spaste(\`$_r')" -D_REPLYTO_="$replyto" -D_SUBJ_="\`$subj'" -D_FROM_="$from" $msgdir/mail-header.m4 4.45 cat $3 | nkf -jd ) | sendmail -f $sender $rcpt 4.46 } 4.47 smail_queue_flush() { 4.48 @@ -1297,7 +1304,6 @@ 4.49 ORDER by time; 4.50 EOF 4.51 then 4.52 - echo rowid=$rid 4.53 cat <<-EOF | sq $workdb 4.54 DELETE FROM smailq 4.55 WHERE rcpts=(SELECT rcpts FROM smailq WHERE rowid=$rid) 4.56 @@ -1955,7 +1961,7 @@ 4.57 } 4.58 4.59 search_form() { 4.60 - # $1 = { author=<AUTHOR> | grp=<GROUP> } 4.61 + # $1 = { author=<AUTHOR> | grid=<GroupRowid> } 4.62 # $2(optional) = pre-input keywords 4.63 help="(1)空白区切りの単語で本文検索 4.64 (2)@YYYY-MM-DD 日付け(シェルパターン可)で日付け検索 4.65 @@ -1977,9 +1983,9 @@ 4.66 placeholder="このユーザの書込検索" 4.67 help="★★ $g さんの書き込みから検索します$nl$help" 4.68 ;; 4.69 - grp=*) 4.70 - a=`echo "${1#grp=}"` # group name cannot have quoting marks 4.71 - auth="<input type=\"hidden\" name=\"owner\" value=\"$a\">" 4.72 + grid=*) 4.73 + a=`echo "${1#grid=}"`; a=$((0 + $a)) 4.74 + auth="<input type=\"hidden\" name=\"grid\" value=\"$a\">" 4.75 placeholder="このグループからの検索" 4.76 ;; 4.77 esac 4.78 @@ -2305,7 +2311,8 @@ 4.79 # $1=icon-file, $2=Href $3=title $4...=anchor 4.80 src=$1 4.81 href=$2; title=$3; shift 3 4.82 - echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$@</a>" 4.83 + anchor=`echo $@|htmlescape` 4.84 + echo "<a href=\"$href\"><img title=\"$title\" src=\"$src\">$anchor</a>" 4.85 ) 4.86 listentry() ( 4.87 # $1=user/group $2=SearchKeyword $3=condition(if any) $4=grprowid(if in grp) 4.88 @@ -2498,6 +2505,7 @@ 4.89 # err newlnk=$lnk regmode=$regmode 4.90 icondir=$dir/$id 4.91 # Pick up only last icon 4.92 + htmlname=`echo $name|htmlescape` 4.93 echo "<div class=\"iconlist xy$thumbxy $type $ownerp\"> 4.94 <p class=\"tag _$tag\">$tag</p>" \ 4.95 | _m4 $tagconv 4.96 @@ -2525,7 +2533,7 @@ 4.97 iconhref2 "$dir/$deficon" "$hrb+$lnk" "$gecos" 4.98 fi 4.99 fi 4.100 - echo "<br>$name${ownerp:+<br>($ownerp)}" 4.101 + echo "<br>$htmlname${ownerp:+<br>($ownerp)}" 4.102 echo "</div>" 4.103 done 4.104 echo "</div>" # End of List-entry div 4.105 @@ -2566,7 +2574,7 @@ 4.106 ismember="" # bodyclass="group" 4.107 fi 4.108 bodyclass="$bodyclass grouphome" 4.109 - echo "<div class=\"search\">`search_form grp=\"$grp\"`</div>"> $sf 4.110 + echo "<div class=\"search\">`search_form grid=\"$grid\"`</div>"> $sf 4.111 echo "グループ $htmlgrp" > $tf 4.112 4.113 showgroupsub $formdir/grp.def "$grid" | \ 4.114 @@ -2731,6 +2739,7 @@ 4.115 err GRP_ACTION:IN 4.116 grid=${1:-`getpar grp`} 4.117 grp=`getgroupbyid "$grid"` 4.118 + htmlgrp=`echo "$grp" | htmlescape` 4.119 myuid=`query "SELECT rowid FROM user WHERE name='$user';"` 4.120 if [ -z "$grp" ]; then 4.121 echo "無効な指定です。" | html p; return 4.122 @@ -2738,7 +2747,7 @@ 4.123 if ! ismember $user "$grp"; then 4.124 echo "加入者のみに許可された操作です。" | html p; return 4.125 fi 4.126 - echo "グループ $grp 個別選択操作" \ 4.127 + echo "グループ $grp 個別選択操作" \ 4.128 | _m4 -D_TITLE_="syscmd(\`cat')" \ 4.129 -D_BODYCLASS_="`grp_getbodyclass \"$grp\"`" \ 4.130 $layout/html.m4.html 4.131 @@ -2946,7 +2955,7 @@ 4.132 ORDER BY gecos;" 4.133 ## err grpaction: "`echo \"$sql\"`" 4.134 tf=$tmpd/title.$$ 4.135 - echo "グループ[<a href=\"?grp+$grid\">$grp</a>]参加メンバーに対する操作" > $tf 4.136 + echo "グループ[<a href=\"?grp+$grid\">$htmlgrp</a>]参加メンバーに対する操作" > $tf 4.137 cmmsg="`cgi_radio rm commission id=\"cmadmin\"`<label accesskey=\"f\" 4.138 title=\"Shortcut: f${nl}Add to Administrator of the Group\" 4.139 for=\"cmadmin\">管理者委任</label> 4.140 @@ -3029,7 +3038,7 @@ 4.141 ${isowner:+$cmmsg$excmsg} 4.142 `cgi_radio rm close id="x"`<label for="x" accesskey="x">×</label> 4.143 </div> 4.144 -<h4>$grp 参加者一覧</h4>$fromtonote 4.145 +<h4>$htmlgrp 参加者一覧</h4>$fromtonote 4.146 <table class="td2r thl"> 4.147 `sq $db -header -html "$sql"` 4.148 </table> 4.149 @@ -3263,11 +3272,11 @@ 4.150 return 4.151 fi 4.152 grp=`getgroupbyid $rowid` 4.153 - members=`collectemail $grp` 4.154 + members=`collectemail "$grp"` 4.155 myuid=`query "SELECT rowid FROM user WHERE name='$user';"` 4.156 mailfrom=`email4groupbyuid "$grp" "$myuid" | sed -e 1q -e 's/[ ,].*//'` 4.157 mailfrom="`gecos "$user"` <$mailfrom>" 4.158 - sj="グループ $grp 宛メッセージ(from `gecos $user`)" 4.159 + sj="グループ「$grp」宛メッセージ(from `gecos $user`)" 4.160 msg=$(cat<<-EOF 4.161 $urlbase?grp+$rowid 4.162 グループ $grp に所属する 4.163 @@ -3282,7 +3291,6 @@ 4.164 MAIL_FROM=$mailfrom \ 4.165 SENDER=$noreply \ 4.166 REPLYTO=$mailfrom \ 4.167 - SMAIL_TO="`echo "$grp" | nkf -jM | tr -d '\n'` readers <$m>" \ 4.168 smail "$m" "$sj" 4.169 done 4.170 cat<<EOF