Overview
Comment:Added safe handling for params
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 4bccacb50f3fae81f4299cccc4a481d14d438ad7
User & Date: matt on 2016-09-22 06:28:07
Other Links: manifest | tags
Context
2016-09-24
07:07
Added recovery from bad form. but it is broken and I don't know why. Still seems rare ... check-in: 44c407806c user: matt tags: trunk
2016-09-22
06:28
Added safe handling for params check-in: 4bccacb50f user: matt tags: trunk
2016-09-21
04:34
Oops. Use the string result. check-in: 8c0e13bea5 user: matt tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Modified doc/howto.txt from [9db6996c14] to [56cd7b3d4f]. 

141
142
143
144
145
146
147










   (s:input 'type "submit"   'name "form-name" 'value "login"))

(s:get-input 'email-address)

To preserve the input simply do a set of the value on the 'name field:
(s:set! "email-address" "matt@kiatoa.com")


















>
>
>
>
>
>
>
>
>

141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

   (s:input 'type "submit"   'name "form-name" 'value "login"))

(s:get-input 'email-address)

To preserve the input simply do a set of the value on the 'name field:
(s:set! "email-address" "matt@kiatoa.com")

Radio buttons:

	(s:div 'class "col_3"
		       (s:input 'type "radio" 'id "group-type1" 'name "group-type" 'value "private" 'checked "checked")
		       (s:label 'for "group-type1" 'class "inline" "Private")
		       (s:input 'type "radio" 'id "group-type2" 'name "group-type" 'value "public")
		       (s:label 'for "group-type2" 'class "inline" "Public"))

       (s:get-input 'group-type) ==> returns private or public depending on which is selected.

Modified session.scm from [05707f5346] to [d1e5e81543]. 

715
716
717
718
719
720
721




















722
723
724
725

726
727
728
729
730
731
732

     (cons header pagedat))))

(define (session:log self . msg)
  (with-output-to-port (sdat-get-log-port self) ;; (sdat-get-logpt self)
    (lambda () 
      (apply print msg))))





















(define (session:get-param self key)
  ;; (session:log s:session "params=" (slot-ref s:session 'params))
  (let ((params (sdat-get-params self)))
    (session:get-param-from params key)))


;; This one will get the first value found regardless of form
;; param: (dtype [tag1 tag2 ...])
;; dtype:
;;    'raw     : do no conversion
;;    'number  : convert to number, return #f if fails
;;    'escaped : use html-escape to protect the input -- this is the default








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|

|
|
>








715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753

     (cons header pagedat))))

(define (session:log self . msg)
  (with-output-to-port (sdat-get-log-port self) ;; (sdat-get-logpt self)
    (lambda () 
      (apply print msg))))

;; escape, convert or return raw when given user input data that potentially
;; could be malicious
;;
(define (session:apply-type-preference res params)
  (let* ((dtype    (if (null? params)
		       'escaped
		       (car params)))
	 (tags    (if (null? params)
		      '()
		      (cdr params))))
    (case dtype
      ((raw)     res)
      ((number)  (if (string? res)(string->number res) #f))
      ((escaped) (if (string? res)
		     (s:html-filter->string res tags)
		     res))
      (else      (if (string? res)
		     (s:html-filter->string res '())
		     res)))))

(define (session:get-param self key type-params)
  ;; (session:log s:session "params=" (slot-ref s:session 'params))
  (let* ((params (sdat-get-params self))
	 (res    (session:get-param-from params key)))
    (session:apply-type-preference res type-params)))

;; This one will get the first value found regardless of form
;; param: (dtype [tag1 tag2 ...])
;; dtype:
;;    'raw     : do no conversion
;;    'number  : convert to number, return #f if fails
;;    'escaped : use html-escape to protect the input -- this is the default

766
767
768
769
770
771
772
773
774
775
776
777
778
779
780

	(if (and (vector? formdat)(eq? (vector-length formdat) 1)(hash-table? (vector-ref formdat 0)))
	    (formdat:keys formdat)
	    (begin
	      (session:log self "ERROR: formdat: " formdat " is not of class <formdat>")
	      #f)))))

(define (session:run-actions self)
  (let* ((action    (session:get-param self 'action))
	 (page      (sdat-get-page self)))
    ;; (print "action=" action " page=" page)
    (if action
	(let ((action-lst  (string-split action ".")))
	  ;; (print "action-lst=" action-lst)
	  (if (not (= (length action-lst) 2)) 
	      (err:log "Action should be of form: module.action")








|








787
788
789
790
791
792
793
794
795
796
797
798
799
800
801

	(if (and (vector? formdat)(eq? (vector-length formdat) 1)(hash-table? (vector-ref formdat 0)))
	    (formdat:keys formdat)
	    (begin
	      (session:log self "ERROR: formdat: " formdat " is not of class <formdat>")
	      #f)))))

(define (session:run-actions self)
  (let* ((action    (session:get-param self 'action '(raw)))
	 (page      (sdat-get-page self)))
    ;; (print "action=" action " page=" page)
    (if action
	(let ((action-lst  (string-split action ".")))
	  ;; (print "action-lst=" action-lst)
	  (if (not (= (length action-lst) 2)) 
	      (err:log "Action should be of form: module.action")

Modified setup.scm from [967d19ca83] to [c2c51e03a9]. 

45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

  (if (null? partsl)
      (session:call s:session page #f)
      (session:call s:session page (car partsl))))

(define (s:link-to page . params)
  (session:link-to s:session page params))

(define (s:get-param key)
  (session:get-param s:session key))

;; these are page local
(define (s:get key) 
  (session:page-get s:session key))

(define (s:set! key val)
  (session:curr-page-set! s:session key val))








|
|








45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

  (if (null? partsl)
      (session:call s:session page #f)
      (session:call s:session page (car partsl))))

(define (s:link-to page . params)
  (session:link-to s:session page params))

(define (s:get-param key . type-params)
  (session:get-param s:session key type-params))

;; these are page local
(define (s:get key) 
  (session:page-get s:session key))

(define (s:set! key val)
  (session:curr-page-set! s:session key val))