include guard for main script, prevent double read of post data

[cgilite] / cgilite.sh

diff --git a/cgilite.sh b/cgilite.sh
index 86ad28073018c9a2626877e74426c0b2d4a95914..f766ee2a425591245926952a5b961dde86cac4ee 100755 (executable)
--- a/cgilite.sh
+++ b/cgilite.sh
@@ -18,6 +18,9 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with CGIlite.  If not, see <http://www.gnu.org/licenses/>. 
 
+[ -n "$include_cgilite" ] && return 0
+# guard set after webserver part
+
 # ksh and zsh workaround
 # set -o posix # ksh, not portable
 setopt -o OCTAL_ZEROES 2>&-
@@ -119,11 +122,14 @@ if [ -z "$REQUEST_METHOD" ]; then
   exit 0
 fi
 
+include_cgilite="$0"
+
 if [ "${REQUEST_METHOD}" = POST -a "${CONTENT_LENGTH:-0}" -gt 0 -a \
      "${CONTENT_TYPE}" = "application/x-www-form-urlencoded" ]; then
   cgilite_post="$(head -c "$CONTENT_LENGTH")"
 fi
 
+debug(){ [ $# -gt 0 ] && printf '%s\n' "$@" >&2 || tee -a /dev/stderr; }
 [ "${DEBUG+x}" ] && env >&2
 
 cgilite_count(){
@@ -187,35 +193,51 @@ COOKIE(){
 }
 
 HTML(){
-  # HTML Entity Coding
-  # Prints UTF-8 string as decimal Unicode Code Points
-  # Useful for escaping user input for use in HTML text and attributes
-  { [ $# -eq 0 ] && cat || printf %s "$*"; } \
-  | hexdump -ve '/1 "%03o\n"' \
-  | while read n; do
-    case $n in
-      # bitbanging octal UTF-8 chains into singular 7 digit octal numbers
-      [01]??) printf '0000%s' $n;; # 7 bit ASCII character, nothing to do
-      2??)    printf '%s' ${n#2};; # tail fragment, append 6 bit
-      3[0123]?) printf '000%s' ${n#3};; # 2 octet (11 bit) chain start
-      34?) printf '00%s' ${n#34};; # 3 octet (16 bit) chain start
-      35?) printf '01%s' ${n#35};; # 3 octet chain start, high
-      36?) printf '%s' ${n#36};;   # 4 octet (21 bit) chain start
+  # Escape HTML cahracters
+  # Also escape [, ], and \n for use in html-sh
+  local str out
+  [ $# -eq 0 ] && str="$(cat)" || str="$*"
+  while [ "$str" ]; do
+    case $str in
+      \&*) out="${out}&amp;";;
+      \<*) out="${out}&lt;";;
+      \>*) out="${out}&gt;";;
+      \"*) out="${out}&quot;";;
+      \'*) out="${out}&#x27;";;
+      \[*) out="${out}&#x5B;";;
+      \]*) out="${out}&#x5D;";;
+      "${CR}"*) out="${out}&#x0D;";;
+      "${BR}"*) out="${out}&#x0A;";;
+      *) out="${out}${str%"${str#?}"}";;
     esac
-  done \
-  | sed -E 's;.{7};&\n;g;' \
-  | while read n; do
-    printf '&#%d;' $((0$n))
+    str="${str#?}"
   done
+  printf %s "$out"
 }
 
 URL(){
-  # Code every character in URL escape hex format
-  # except alphanumeric ascii
-
-  { [ $# -eq 0 ] && cat || printf %s "$*"; } \
-  | hexdump -v -e '/1 ",%02X"' \
-  | sed 's;,;%;g; s;%2F;/;g;'
+  # Escape pathes, so they can be used in link tags and HTTP Headers
+  local str out
+  [ $# -eq 0 ] && str="$(cat)" || str="$*"
+  while [ "$str" ]; do
+    case $str in
+      \&*) out="${out}%26";;
+      \"*) out="${out}%22";;
+      \'*) out="${out}%27";;
+      \?*) out="${out}%3F";;
+      \#*) out="${out}%23";;
+      \[*) out="${out}%5B";;
+      \]*) out="${out}%5D";;
+      \ *) out="${out}%20";;
+      "        "*) out="${out}%09";;
+      "${CR}"*) out="${out}%0D";;
+      "${BR}"*) out="${out}%0A";;
+      %*) out="${out}%25";;
+      *) out="${out}${str%"${str#?}"}";;
+    esac
+    str="${str#?}"
+  done
+  printf %s "$out"
 }
 
 SET_COOKIE(){