Fixes for URLs in parentheses, wrong CGI variable for fily copy check…

… boxes, list of text fields that can contain newlines.
pms967 · Nov 3, 2013 · 604aade · 604aade
2 parents 53fb924 + ff545d6
commit 604aade
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 5 deletions.
diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm
@@ -20,6 +20,6 @@
 #    along with DocDB; if not, write to the Free Software
 #    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
-$DocDBVersion = "8.7.20";
+$DocDBVersion = "8.7.21";
 
 1;
diff --git a/DocDB/cgi/HTMLUtilities.pm b/DocDB/cgi/HTMLUtilities.pm
@@ -31,14 +31,14 @@ sub SmartHTML ($) {
   my $AddLineBreaks = exists $ArgRef->{-addLineBreaks} ?  $ArgRef->{-addLineBreaks} : $FALSE;
 
   # Escape text into &x1234; format ignoring a alphanumerics and a few special characters
-  $Text =~ s{([^\:\/\.\-\?\=\+\w\s&#%;]|&(?!#?\w+;))}{"&#x".sprintf("%x", unpack(U,$1)).";"}ge;
+  $Text =~ s{([^\:\/\.\-\?\=\+\w\s&#%;)]|&(?!#?\w+;))}{"&#x".sprintf("%x", unpack(U,$1)).";"}ge;
 
   # Turn found URLs into hyperlinks, adapted from Perl Cookbook, 6.21
   if ($MakeURLs) {
     my $urls = '(http|telnet|gopher|file|wais|ftp|https)';
     my $ltrs = '\w';
     my $gunk = '/#~:.?+=&%@!{};\-';
-    my $punc = '.:?\-';
+    my $punc = '.:?\-\)';
     my $any  = "${ltrs}${gunk}${punc}";
     $Text =~ s{
               \b                    # start at word boundary

diff --git a/DocDB/cgi/ProcessDocumentAdd b/DocDB/cgi/ProcessDocumentAdd
@@ -166,7 +166,7 @@ for (my $i = 1; $i<= $MaxFiles; ++$i) {
   my $Key = $i; # Probably something better later
   my $UploadI = $query -> param("upload$i");
   my $UrlI = $Untaint -> extract(-as_printable => "url$i") || "";
-  my $CopyI = $Untaint -> extract(-as_printable => "copy$i") || "";
+  my $CopyI = $Untaint -> extract(-as_printable => "copyfile$i") || "";
   my $FileIDI = $Untaint -> extract(-as_integer => "fileid$i") || 0;
   my $NewNameI = $Untaint -> extract(-as_safehtml => "newname$i") || ""; # FIXME: More restrictive?
   my $MainI = $Untaint -> extract(-as_printable => "main$i") || "";

diff --git a/DocDB/cgi/UntaintListOfHTML.pm b/DocDB/cgi/UntaintListOfHTML.pm
@@ -30,7 +30,8 @@ use strict;
 use base 'CGI::Untaint::listofwords';
 use HTML::Entities qw(encode_entities_numeric);
 
-sub _untaint_re { qr/^(.*(\000)*)+$/ }
+# Could also add s modifier to regex and .* instead of (.|\n)*
+sub _untaint_re { qr/^((.|\n)*(\000)*)+$/ }
 
 sub is_valid {
   my $self = shift;

diff --git a/DocDB/doc/CHANGES b/DocDB/doc/CHANGES
@@ -1,3 +1,7 @@
+8.7.21
+  Fixes for URLs in parentheses, wrong CGI variable for fily copy check boxes,
+  list of text fields that can contain newlines.
+
 8.7.20
  Fix lots of potential cross-site scripting problems by making (nearly) all
  inputs valid HTML and doing the same with database output. Databases will now