From d6ca659b75648cf1001d731484e643aa35888dd7 Mon Sep 17 00:00:00 2001
From: paul <paul@plutz.net>
Date: Sat, 12 Nov 2016 02:44:54 +0000
Subject: [PATCH] improved escaping when writing cards

svn path=/trunk/; revision=143
---
 actions/update_card.sh | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/actions/update_card.sh b/actions/update_card.sh
index f18c9ee..c2a4a71 100755
--- a/actions/update_card.sh
+++ b/actions/update_card.sh
@@ -17,7 +17,6 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Confetti.  If not, see <http://www.gnu.org/licenses/>. 
 
-cgi_post
 cgi_refdata
 
 filter="&filter=${_REF[filter]}"
@@ -29,31 +28,40 @@ tempfile="$_DATA/temp/$card"
 cardfile="$_DATA/vcard/$card"
 attfile="$_DATA/mappings/attendance"
 
-_POST[0N]="${_POST[0N]//;/,}"
-_POST[1N]="${_POST[1N]//;/,}"
-_POST[2N]="${_POST[2N]//;/,}"
-_POST[3N]="${_POST[3N]//;/,}"
-_POST[4N]="${_POST[4N]//;/,}"
+vcf_escape(){
+  for each in "$@"; do
+    printf %s\\n "$each" \
+    | sed -r ':X;$!{N;bX}; s;\r\n;\n;g; s;([\n\;,\\]);\\\1;g;'
+  done \
+  | sed -r ':X;$!{N;bX}; s;\n;\;;g'
+}
 
-[ "$_POST[hi_select]" = "list" ] && hi_company="${_POST[hi_company]}" || hi_company="${_POST[hi_other]}"
+[ "${_POST[hi_select]}" = "list" ] || _POST[hi_company]="${_POST[hi_other]}"
 [ -n "${_POST[hi_company]}${_POST[hi_number]}${_POST[hi_status]}" ] \
-&& _POST[X-HEALTH-INSURANCE]="${hi_company//;/,};${_POST[hi_number]//;/,};${_POST[hi_status]//;/,}"
+&& _POST[X-HEALTH-INSURANCE]="$(vcf_escape "${_POST[hi_company]}" "${_POST[hi_number]}" "${_POST[hi_status]}")"
 
 sed -r 's;$;\r;' >"$tempfile" <<EOF
 BEGIN:VCARD
 VERSION:4.0
-N:${_POST[0N]};${_POST[1N]};${_POST[2N]};${_POST[3N]};${_POST[4N]}
+N:$(vcf_escape "${_POST[0N]}" "${_POST[1N]}" "${_POST[2N]}" "${_POST[3N]}" "${_POST[4N]}")
 UID:${_POST[UID]}
 $(
-for field in $VCF_FIELDS; do
-  for key in $field $field{0..100}; do
+  for field in $VCF_FIELDS; do for key in $field $field{0..100}; do
     [ -z "${_POST[$key]+x}" ] && break
-    value="$(printf %s "$_POST[$key]" |sed -r ':a;N;$!ba;s:\n:\\n:g;s:\r:\\r:g')"
-    [ "${key%%[0-9]*}" = TEL ] && tag="TYPE=${_POST[phonetype${key#TEL}]}" || tag=''
-    [ -n "$value" ] && printf '%s:%s\n' "${field}${tag:+;$tag}" "$value"
-  done
-done
-[ "${_POST[action]}" = addfield ] && printf '%s:\n' "${_POST[newfield]}"
+    [ -z "${_POST[$key]}" ] && continue
+    case "$key" in
+      (TEL[0-9]*)
+        printf '%s;TYPE=%s:%s\r\n' "${field}" "${_POST[phonetype${key#TEL}]}" "$(vcf_escape "${_POST[$key]}")"
+        ;;
+      (X-HEALTH-INSURANCE)
+        printf '%s:%s\r\n' "${field}" "${_POST[$key]}"
+        ;;
+      (*)
+        printf '%s:%s\r\n' "${field}" "$(vcf_escape "${_POST[$key]}")"
+        ;;
+    esac
+  done; done
+  [ "${_POST[action]}" = addfield ] && printf '%s:\r\n' "${_POST[newfield]}"
 )
 END:VCARD
 EOF
-- 
2.39.2