kareila: (Default)
kareila ([personal profile] kareila) wrote in [site community profile] changelog2011-01-03 09:51 pm
  • Add Memory
  • Share This Entry

[dw-free] sanitize GET URLs in directory.bml

[commit: http://hg.dwscoalition.org/dw-free/rev/3ec2525b0c3e]

http://bugs.dwscoalition.org/show_bug.cgi?id=3354

New function LJ::page_change_getargs that replaces BML functions. New option
'no_blank' for LJ::create_url.

Patch by [personal profile] kareila.

Files modified:
  • cgi-bin/DW/Controller/Search/Interests.pm
  • cgi-bin/weblib.pl
  • htdocs/directory.bml
--------------------------------------------------------------------------------
diff -r 7f71600083e9 -r 3ec2525b0c3e cgi-bin/DW/Controller/Search/Interests.pm
--- a/cgi-bin/DW/Controller/Search/Interests.pm	Mon Jan 03 11:11:16 2011 -0600
+++ b/cgi-bin/DW/Controller/Search/Interests.pm	Mon Jan 03 15:51:45 2011 -0600
@@ -318,12 +318,14 @@ sub interest_handler {
                         && $should_show->( $_ )          # and should show to the remote user
                       } values %$us;
         my $navbar;
+        my $self_link = sub { LJ::page_change_getargs( page => $_[0] ) };
         my $results =
             LJ::user_search_display( users      => \@ul,
                                      timesort   => 1,
                                      perpage    => 50,
                                      curpage    => exists $args->{page} ?
                                                    $args->{page} : 1,
+                                     self_link  => $self_link,
                                      navbar     => \$navbar );
 
         $rv->{int_users} = { count => scalar( @ul ), navbar => $navbar,
diff -r 7f71600083e9 -r 3ec2525b0c3e cgi-bin/weblib.pl
--- a/cgi-bin/weblib.pl	Mon Jan 03 11:11:16 2011 -0600
+++ b/cgi-bin/weblib.pl	Mon Jan 03 15:51:45 2011 -0600
@@ -436,7 +436,22 @@ sub paging_bar {
     return "<div class='action-box'>$nav</div>\n";
 }
 
-# drop-in replacement for BML::paging in non-BML context
+=head2 C<< LJ::page_change_getargs( %args ) >>
+Returns the current URL with a modified list of GET arguments.
+=cut
+
+sub page_change_getargs {
+    my %args = @_;
+    my %cu_opts = ( keep_args => 1, no_blank => 1 );
+
+    # specified args will override keep_args
+    return LJ::create_url( undef, args => \%args, %cu_opts );
+}
+
+=head2 C<< LJ::paging( $listref, $page, $pagesize ) >>
+Drop-in replacement for BML::paging in non-BML context.
+=cut
+
 sub paging {
     my ( $listref, $page, $pagesize ) = @_;
     $page = 1 unless $page && $page == int $page;
@@ -446,17 +461,7 @@ sub paging {
 
     my $newurl = sub {
         # replaces BML::page_newurl
-        my $page = $_[0];
-        my $r = DW::Request->get;
-        my $args = $r->get_args;
-        my ( $url ) = split /\?/, $r->uri;
-        my @pair = ();
-
-        foreach ( sort grep { $_ ne "page" } keys %$args ) {
-            push @pair, ( LJ::eurl( $_ ) . "=" . LJ::eurl( $args->{$_} ) );
-        }
-        push @pair, "page=$page";
-        return $url . "?" . join( "&", @pair );
+        return LJ::page_change_getargs( page => $_[0] );
     };
 
     $self{itemcount} = scalar @items;
@@ -1201,6 +1206,7 @@ fragment -- add fragment identifier
 fragment -- add fragment identifier
 cur_args -- hashref of current GET arguments to the page
 keep_args -- arguments to keep
+no_blank -- remove keys with null values from GET args
 viewing_style -- include viewing style args
 =cut
 
@@ -1237,10 +1243,14 @@ sub create_url {
     }
 
     foreach my $k ( keys %out_args ) {
-        delete $out_args{$k} unless defined $out_args{$k};
+        if ( ! defined $out_args{$k} ) {
+            delete $out_args{$k};
+        } elsif ( ! length $out_args{$k} ) {
+            delete $out_args{$k} if $opts{no_blank};
+        }
     }
 
-    my $args = encode_url_string( \%out_args );
+    my $args = LJ::encode_url_string( \%out_args, [ sort keys %out_args ] );
 
     $url .= "?$args" if $args;
     $url .= "#" . $opts{fragment} if $opts{fragment};
diff -r 7f71600083e9 -r 3ec2525b0c3e htdocs/directory.bml
--- a/htdocs/directory.bml	Mon Jan 03 11:11:16 2011 -0600
+++ b/htdocs/directory.bml	Mon Jan 03 15:51:45 2011 -0600
@@ -179,10 +179,8 @@ body<=
         # do a refresh to the page with the finished results.
         # this will display some nice text to the user while they wait
         # for their results.
-        my ($uri, $args) = (BML::get_uri(), BML::get_query_string());
-        $uri .= '?' . $args if $args;
-        my $refurl = LJ::ehtml($LJ::SITEROOT . $uri);
-        $refurl .= ($args ? "&" : "?") . 'start_search=1';
+
+        my $refurl = LJ::ehtml( LJ::page_change_getargs( start_search => 1 ) );
         $headextra = "<meta http-equiv='Refresh' content='1;URL=$refurl' id='refresher' />";
 
         my $dots = LJ::img( 'searchdots', '' );
@@ -211,16 +209,9 @@ body<=
         <?h1 $ML{'.search_results'} h1?>
     };
 
-
-    my ( $uri, $args ) = ( BML::get_uri(), BML::get_query_string() );
-
-    $args =~ s/(\?|\&)page=\d*//gi;
-    $args =~ s/(\?|\&)journaltype=[CPI]?//gi;
-    $args =~ s/(\?|\&)start_search=\d*//gi;
-    $uri .= '?' . $args if $args;
-
-    my $filter_url = LJ::ehtml( $LJ::SITEROOT . $uri );
-    $filter_url .= ($args ? "&" : "?") . 'start_search=1';
+    my $filter_url = LJ::ehtml( LJ::page_change_getargs( start_search => 1,
+                                                         journaltype => '',
+                                                         page => '' ) );
 
     my $all_search = "$ML{'.new_all_search'}";
     $all_search = "<a href='$filter_url'>$all_search</a>"
--------------------------------------------------------------------------------