bugfix: parameter passing in cgilite_value calls

[cgilite] / cgilite.sh

diff --git a/cgilite.sh b/cgilite.sh
index b7067a70ae2fd95bb84e70cc89d43f2441d56173..9fa56eef0633f22e7fa5d8f901ddf776143a6a55 100755 (executable)
--- a/cgilite.sh
+++ b/cgilite.sh
@@ -18,6 +18,9 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with CGIlite.  If not, see <http://www.gnu.org/licenses/>. 
 
+[ -n "$include_cgilite" ] && return 0
+# guard set after webserver part
+
 # ksh and zsh workaround
 # set -o posix # ksh, not portable
 setopt -o OCTAL_ZEROES 2>&-
@@ -119,11 +122,14 @@ if [ -z "$REQUEST_METHOD" ]; then
   exit 0
 fi
 
+include_cgilite="$0"
+
 if [ "${REQUEST_METHOD}" = POST -a "${CONTENT_LENGTH:-0}" -gt 0 -a \
      "${CONTENT_TYPE}" = "application/x-www-form-urlencoded" ]; then
   cgilite_post="$(head -c "$CONTENT_LENGTH")"
 fi
 
+debug(){ [ $# -gt 0 ] && printf '%s\n' "$@" >&2 || tee -a /dev/stderr; }
 [ "${DEBUG+x}" ] && env >&2
 
 cgilite_count(){
@@ -151,15 +157,15 @@ cgilite_keys(){
   | sort -u
 }
 
-GET(){ cgilite_value "${QUERY_STRING}" $@; }
+GET(){ cgilite_value "${QUERY_STRING}" "$@"; }
 GET_COUNT(){ cgilite_count "${QUERY_STRING}" $1; }
 GET_KEYS(){ cgilite_keys "${QUERY_STRING}"; }
 
-POST(){ cgilite_value "${cgilite_post}" $@; }
+POST(){ cgilite_value "${cgilite_post}" "$@"; }
 POST_COUNT(){ cgilite_count "${cgilite_post}" $1; }
 POST_KEYS(){ cgilite_keys "${cgilite_post}"; }
 
-REF(){ cgilite_value "${HTTP_REFERER#*\?}" $@; }
+REF(){ cgilite_value "${HTTP_REFERER#*\?}" "$@"; }
 REF_COUNT(){ cgilite_count "${HTTP_REFERER#*\?}" $1; }
 REF_KEYS(){ cgilite_keys "${HTTP_REFERER#*\?}"; }
 
@@ -187,6 +193,8 @@ COOKIE(){
 }
 
 HTML(){
+  # Escape HTML cahracters
+  # Also escape [, ], and \n for use in html-sh
   local str out
   [ $# -eq 0 ] && str="$(cat)" || str="$*"
   while [ "$str" ]; do
@@ -196,6 +204,10 @@ HTML(){
       \>*) out="${out}&gt;";;
       \"*) out="${out}&quot;";;
       \'*) out="${out}&#x27;";;
+      \[*) out="${out}&#x5B;";;
+      \]*) out="${out}&#x5D;";;
+      "${CR}"*) out="${out}&#x0D;";;
+      "${BR}"*) out="${out}&#x0A;";;
       *) out="${out}${str%"${str#?}"}";;
     esac
     str="${str#?}"
@@ -204,6 +216,7 @@ HTML(){
 }
 
 URL(){
+  # Escape pathes, so they can be used in link tags and HTTP Headers
   local str out
   [ $# -eq 0 ] && str="$(cat)" || str="$*"
   while [ "$str" ]; do
@@ -213,6 +226,12 @@ URL(){
       \'*) out="${out}%27";;
       \?*) out="${out}%3F";;
       \#*) out="${out}%23";;
+      \[*) out="${out}%5B";;
+      \]*) out="${out}%5D";;
+      \ *) out="${out}%20";;
+      "        "*) out="${out}%09";;
+      "${CR}"*) out="${out}%0D";;
+      "${BR}"*) out="${out}%0A";;
       %*) out="${out}%25";;
       *) out="${out}${str%"${str#?}"}";;
     esac