|
|
| version 1.71, 2001/10/29 16:29:08 | version 1.117.2.1, 2003/08/15 11:40:45 |
|---|---|
| Line 1 | Line 1 |
| /** @file | /** @file |
| Parser: String class part: untaint mechanizm. | Parser: String class part: untaint mechanizm. |
| Copyright(c) 2001 ArtLebedev Group(http://www.artlebedev.com) | Copyright(c) 2001-2003 ArtLebedev Group (http://www.artlebedev.com) |
| Author: Alexander Petrosyan <paf@design.ru>(http://design.ru/paf) | Author: Alexandr Petrosian <paf@design.ru> (http://paf.design.ru) |
| $Id$ | |
| */ | */ |
| #include "pa_pool.h" | static const char* IDENT_UNTAINT_C="$Date$"; |
| #include "pa_string.h" | #include "pa_string.h" |
| #include "pa_hash.h" | #include "pa_hash.h" |
| #include "pa_exception.h" | #include "pa_exception.h" |
| #include "pa_table.h" | #include "pa_table.h" |
| #include "pa_globals.h" | #include "pa_globals.h" |
| #include "pa_sql_connection.h" | |
| #include "pa_dictionary.h" | #include "pa_dictionary.h" |
| #include "pa_common.h" | #include "pa_common.h" |
| #include "pa_charset.h" | |
| #include "pa_request_charsets.h" | |
| #include "pa_sapi.h" | |
| extern "C" { // author forgot to do that | |
| #include "ec.h" | |
| } | |
| #define PA_SQL | |
| #ifdef PA_SQL | |
| #include "pa_sql_connection.h" | |
| #endif | |
| // defines | |
| #undef CORD_ec_append | |
| // redefining to intercept flushes and implement whitespace optimization | |
| // of all consequent white space chars leaving only first one | |
| #define CORD_ec_append(x, c) \ | |
| { \ | |
| bool skip=false; \ | |
| if(optimize) switch(c) { \ | |
| case ' ': case '\r': case '\n': case '\t': \ | |
| if(whitespace) \ | |
| skip=true; /*skipping subsequent*/ \ | |
| else \ | |
| whitespace=true; \ | |
| break; \ | |
| default: \ | |
| whitespace=false; \ | |
| break; \ | |
| } \ | |
| if(!skip) { \ | |
| if ((x)[0].ec_bufptr == (x)[0].ec_buf + CORD_BUFSZ) { \ | |
| CORD_ec_flush_buf(x); \ | |
| } \ | |
| *((x)[0].ec_bufptr)++ = (c); \ | |
| } \ | |
| } | |
| #define escape(action) \ | #define escape(action) \ |
| { \ | for(; fragment_length--; CORD_next(pos)) { \ |
| const char *src=row->item.ptr; \ | char c=CORD_pos_fetch(pos); \ |
| for(int size=row->item.size; size--; src++) \ | action \ |
| action \ | |
| } | } |
| #define _default default: *dest++=*src; break | #define _default default: CORD_ec_append(result, c); break |
| #define encode(need_encode_func, prefix) \ | #define encode(need_encode_func, prefix, otherwise) \ |
| default: \ | if(need_encode_func(c)) { \ |
| if(need_encode_func(*src)) { \ | static const char* hex="0123456789ABCDEF"; \ |
| static const char *hex="0123456789ABCDEF"; \ | CORD_ec_append(result, prefix); \ |
| char chunk[3]={prefix}; \ | CORD_ec_append(result, hex[((unsigned char)c)/0x10]); \ |
| chunk[1]=hex[((unsigned char)*src)/0x10]; \ | CORD_ec_append(result, hex[((unsigned char)c)%0x10]); \ |
| chunk[2]=hex[((unsigned char)*src)%0x10]; \ | } else \ |
| memcpy(dest, chunk, 3); dest+=3; \ | CORD_ec_append(result, otherwise); |
| } else \ | #define to_char(c) CORD_ec_append(result, c) |
| *dest++=*src; \ | #define to_string(s) CORD_ec_append_cord(result, s) |
| break | |
| #define to_char(c) *dest++=c | |
| #define to_string(b, bsize) \ | |
| memcpy(dest, b, bsize); \ | |
| dest+=bsize; \ | |
| inline bool need_file_encode(unsigned char c){ | inline bool need_file_encode(unsigned char c){ |
| if((c>='0') &&(c<='9') ||(c>='A') &&(c<='Z') ||(c>='a') &&(c<='z')) | // russian letters and space ENABLED |
| return false; | // encoding only these... |
| return strchr( | |
| return !strchr( | "*?'\"<>|" |
| #ifdef WIN32 | #ifndef WIN32 |
| ":\\~" | ":\\" |
| #endif | #endif |
| "./()_-", c); | , c)!=0; |
| } | } |
| inline bool need_uri_encode(unsigned char c){ | inline bool need_uri_encode(unsigned char c){ |
| if((c>='0') &&(c<='9') ||(c>='A') &&(c<='Z') ||(c>='a') &&(c<='z')) | if((c>='0') &&(c<='9') ||(c>='A') &&(c<='Z') ||(c>='a') &&(c<='z')) |
| Line 65 inline bool need_http_header_encode(unsi | Line 100 inline bool need_http_header_encode(unsi |
| // | // |
| static const char * String_Untaint_lang_name[]={ | static const char* String_Untaint_lang_name[]={ |
| "U", ///< zero value handy for hash lookup @see untaint_lang_name2enum | "U", ///< zero value handy for hash lookup @see untaint_lang_name2enum |
| "C", ///< clean | "C", ///< clean |
| "T", ///< tainted, untaint language as assigned later | "T", ///< tainted, untaint language as assigned later |
| Line 84 static const char * String_Untaint_lang_ | Line 119 static const char * String_Untaint_lang_ |
| "SQL", ///< ^table:sql body | "SQL", ///< ^table:sql body |
| "JS", ///< JavaScript code | "JS", ///< JavaScript code |
| "XML", ///< ^dom:set xml | "XML", ///< ^dom:set xml |
| "HTML", ///< HTML code (for editing) | "HTML" ///< HTML code (for editing) |
| "UHTML", ///< HTML code with USER chars | |
| }; | }; |
| // String | // String |
| static bool typo_present(Array::Item *value, const void *info) { | |
| Array *row=static_cast<Array *>(value); | |
| const char *src=static_cast<const char *>(info); | |
| int partial; | |
| row->get_string(0)->cmp(partial, src); | |
| return | |
| partial==0 || // full match | |
| partial==1; // typo left column starts 'src' | |
| } | |
| /* | /* |
| HTTP-header = field-name ":" [ field-value ] CRLF | HTTP-header = field-name ":" [ field-value ] CRLF |
| Line 137 quoted-pair = "\" CHAR | Line 160 quoted-pair = "\" CHAR |
| if(strchr("()<>@,;:\\\"/[]?={} \t", *ptr)) | if(strchr("()<>@,;:\\\"/[]?={} \t", *ptr)) |
| */ | */ |
| inline bool need_quote_http_header(const char *ptr, size_t size) { | inline bool need_quote_http_header(const char* ptr, size_t size) { |
| for(; size--; ptr++) | for(; size--; ptr++) |
| if(strchr(";\\\"= \t" /* excluded ()<>@, :/ ? []{} */, *ptr)) | if(strchr(";\\\"= \t" /* excluded ()<>@, :/ ? []{} */, *ptr)) |
| return true; | return true; |
| return false; | return false; |
| } | } |
| /** @todo maybe additional check "are all pieces are clean?" would be profitable? | |
| @todo fix potential forigins_mode buf overrun | /** |
| appends to other String, | |
| marking all tainted pieces of it with @a lang. | |
| or marking ALL pieces of it with a @a lang when @a forced to, | |
| and propagating OPTIMIZE language bit. | |
| */ | */ |
| size_t String::cstr_bufsize(Untaint_lang lang) const { | String& String::append_to(String& dest, Language lang, bool forced) const { |
| return ( | if(is_empty()) |
| lang==UL_AS_IS? | return dest; |
| size() | |
| : | // first: letters |
| size() | dest.body<<body; |
| *UNTAINT_TIMES_BIGGER | |
| *(forigins_mode?10:1) | // next: fragment infos |
| ) | |
| +1; | if(lang==L_PASS_APPENDED) // without language-change? |
| dest.fragments.append(fragments); | |
| else if(forced) //forcing passed lang? | |
| dest.fragments+=Fragment(lang, length()); | |
| else if(lang&L_OPTIMIZE_BIT) { | |
| for(Array_iterator<ArrayFragment::element_type> i(fragments); i.has_next(); ) { | |
| const Fragment fragment=i.next(); | |
| // main idea here: | |
| // tainted piece would get OPTIMIZED bit from 'lang' | |
| // clean piece would be marked OPTIMIZED manually | |
| // pieces with determined languages [not tainted|clean] would retain theirs langs | |
| dest.fragments+=Fragment(static_cast<Language>( | |
| fragment.lang==L_TAINTED?lang:( | |
| fragment.lang==L_CLEAN?L_CLEAN|L_OPTIMIZE_BIT: // ORing with OPTIMIZED flag | |
| fragment.lang)), | |
| fragment.length); | |
| } | |
| } else { // The core idea: tainted pieces got marked with context's lang | |
| for(Array_iterator<ArrayFragment::element_type> i(fragments); i.has_next(); ) { | |
| const Fragment fragment=i.next(); | |
| dest.fragments+=Fragment( | |
| fragment.lang==L_TAINTED?lang:fragment.lang, | |
| fragment.length); | |
| } | |
| } | |
| ASSERT_STRING_INVARIANT(dest); | |
| return dest; | |
| } | } |
| /** @todo fix theoretical \n mem overrun in TYPO replacements | /** http://www.ietf.org/rfc/rfc2047.txt |
| RFC | |
| (3) As a replacement for a 'word' entity within a 'phrase', for example, | |
| one that precedes an address in a From, To, or Cc header. The ABNF | |
| definition for 'phrase' from RFC 822 thus becomes: | |
| phrase = 1*( encoded-word / word ) | |
| In this case the set of characters that may be used in a "Q"-encoded | |
| 'encoded-word' is restricted to: <upper and lower case ASCII | |
| letters, decimal digits, "!", "*", "+", "-", "/", "=", and "_" | |
| (underscore, ASCII 95.)>. An 'encoded-word' that appears within a | |
| 'phrase' MUST be separated from any adjacent 'word', 'text' or | |
| 'special' by 'linear-white-space'. | |
| ... | |
| (2) The 8-bit hexadecimal value 20 (e.g., ISO-8859-1 SPACE) may be | |
| represented as "_" (underscore, ASCII 95.). (This character may | |
| not pass through some internetwork mail gateways, but its use | |
| will greatly enhance readability of "Q" encoded data with mail | |
| readers that do not support this encoding.) Note that the "_" | |
| always represents hexadecimal 20, even if the SPACE character | |
| occupies a different code position in the character set in use. | |
| paf: obviously, | |
| without "=", or one could not differ "=E0" and "russian letter a" | |
| and without "_", or in would mean 0x20 | |
| */ | |
| inline bool mail_header_char_valid_within_Qencoded(char c) { | |
| return c>='A' && c<='Z' | |
| || c>='a' && c<='Z' | |
| || c>='0' && c<='9' | |
| || strchr("!*+-/", c); | |
| } | |
| inline bool addr_spec_soon(const char *src) { | |
| for(char c; c=*src; src++) | |
| if(c=='<') | |
| return true; | |
| else if(!(c==' ' || c=='\t')) | |
| return false; | |
| return false; | |
| } | |
| /** | |
| RFC | |
| Upper case should be used for hexadecimal digits "A" through "F" | |
| The 8-bit hexadecimal value 20 (e.g., ISO-8859-1 SPACE) | |
| may be represented as "_" | |
| */ | */ |
| char *String::store_to(char *dest, Untaint_lang lang, | inline bool mail_header_nonspace_char(char c) { |
| SQL_Connection *connection, | return c != 0x20; |
| const char *charset) const { | } |
| // $MAIN:html-typo table | inline void ec_append(CORD_ec& result, bool& optimize, bool& whitespace, CORD_pos pos, size_t size) { |
| Dictionary *user_typo_dict=static_cast<Dictionary *>(pool().tag()); | while(size--) { |
| Dictionary *typo_dict=user_typo_dict?user_typo_dict:default_typo_dict; | CORD_ec_append(result, CORD_pos_fetch(pos)); |
| CORD_next(pos); | |
| } | |
| } | |
| inline void pa_CORD_pos_advance(CORD_pos pos, size_t n) { | |
| while(true) { | |
| size_t avail=CORD_pos_chars_left(pos); | |
| if(avail==0) { | |
| CORD_next(pos); | |
| if(!--n) | |
| break; | |
| } else if(avail<n) { | |
| CORD_pos_advance(pos, avail); | |
| n-=avail; | |
| } else { // avail>=n | |
| CORD_pos_advance(pos, n); | |
| break; | |
| } | |
| } | |
| } | |
| StringBody String::cstr_to_string_body(Language lang, | |
| SQL_Connection* connection, | |
| const Request_charsets *charsets) const { | |
| CORD_ec result; CORD_ec_init(result); | |
| CORD_pos pos; body.set_pos(pos, 0); | |
| bool whitespace=true; | bool whitespace=true; |
| const Chunk *chunk=&head; | |
| do { | |
| const Chunk::Row *row=chunk->rows; | |
| for(uint i=0; i<chunk->count; i++, row++) { | |
| if(row==append_here) | |
| goto break2; | |
| Untaint_lang to_lang=lang==UL_UNSPECIFIED?row->item.lang:lang; | |
| char *dest_before_origins=dest; | |
| if(forigins_mode) { | |
| #ifndef NO_STRING_ORIGIN | |
| if(row->item.origin.file) | |
| dest+=sprintf(dest, "%s(%d)", | |
| row->item.origin.file, | |
| 1+row->item.origin.line); | |
| else | |
| dest+=sprintf(dest, "unknown"); | |
| #endif | |
| dest+=sprintf(dest, "#%s: ", | |
| String_Untaint_lang_name[to_lang]); | |
| } | |
| char *dest_after_origins=dest; | |
| // WARNING: | size_t fragment_begin=0; |
| // string can grow only UNTAINT_TIMES_BIGGER | size_t fragment_end; |
| switch(to_lang) { | for(Array_iterator<Fragment> i(fragments); i.has_next(); fragment_begin=fragment_end) { |
| case UL_CLEAN: | const Fragment fragment=i.next(); |
| // clean piece | size_t fragment_length=fragment.length; |
| { // optimizing whitespace | fragment_end=fragment_begin+fragment_length; |
| const char *src=row->item.ptr; | //fprintf(stderr, "%d, %d\n", fragment.lang, fragment.length); |
| for(int size=row->item.size; size--; src++) | |
| switch(*src) { | Language to_lang=lang==L_UNSPECIFIED?fragment.lang:lang; |
| /***case ' ': case '\n': case '\t': | bool optimize=(to_lang & L_OPTIMIZE_BIT)!=0; |
| if(!whitespace) { | if(!optimize) |
| *dest++=*src; | whitespace=false; |
| whitespace=true; | |
| } | switch(to_lang & ~L_OPTIMIZE_BIT) { |
| break;*/ | case L_CLEAN: |
| default: | case L_TAINTED: |
| whitespace=false; | case L_AS_IS: |
| *dest++=*src; | // clean piece |
| break; | |
| } | // tainted piece, but undefined untaint language |
| } | // for VString.as_double of tainted values |
| break; | // for ^process{body} evaluation |
| case UL_TAINTED: | |
| // tainted piece, but undefined untaint language | // tainted, untaint language: as-is |
| // for VString.as_double of tainted values | ec_append(result, optimize, whitespace, pos, fragment_length); |
| // for ^process{body} evaluation | break; |
| case UL_AS_IS: | case L_FILE_SPEC: |
| // tainted, untaint language: as-is | // tainted, untaint language: file [name] |
| memcpy(dest, row->item.ptr, row->item.size); | escape( |
| dest+=row->item.size; | // Macintosh has problems with small Russian letter 'r' |
| break; | if( c=='\xF0' && charsets && charsets->source().NAME()=="WINDOWS-1251" ) { |
| case UL_FILE_SPEC: | // fixing that letter for most common charset |
| // tainted, untaint language: file [name] | to_char('p'); |
| escape(switch(*src) { | } else // fallback to default |
| case ' ': to_char('_'); break; | encode(need_file_encode, '_', c); |
| encode(need_file_encode, '+'); | ); |
| }); | break; |
| break; | case L_URI: |
| case UL_URI: | // tainted, untaint language: uri |
| // tainted, untaint language: uri | { |
| escape(switch(*src) { | const char *fragment_str=body.mid(fragment_begin, fragment_length).cstr(); |
| case ' ': to_char('+'); break; | // skip source [we use recoded version] |
| encode(need_uri_encode, '%'); | pa_CORD_pos_advance(pos, fragment_length); |
| }); | String::C output(fragment_str, fragment_length); |
| break; | if(charsets) |
| case UL_HTTP_HEADER: | output=Charset::transcode(output, |
| // tainted, untaint language: http-field-content-text | charsets->source(), |
| escape(switch(*src) { | charsets->client()); |
| case ' ': to_char('+'); break; | |
| encode(need_uri_encode, '%'); | char c; |
| }); | for(const char* src=output.str; c=*src++; ) |
| break; | encode(need_uri_encode, '%', c); |
| case UL_MAIL_HEADER: | } |
| // tainted, untaint language: mail-header | break; |
| if(charset) { | case L_HTTP_HEADER: |
| // Subject: Re: parser3: =?koi8-r?Q?=D3=C5=CD=C9=CE=C1=D2?= | // tainted, untaint language: http-field-content-text |
| const char *src=row->item.ptr; | escape( |
| bool to_quoted_printable=false; | encode(need_uri_encode, '%', c); |
| for(int size=row->item.size; size--; src++) { | ); |
| if(*src & 0x80) { | break; |
| if(!to_quoted_printable) { | case L_MAIL_HEADER: |
| dest+=sprintf(dest, "=?%.15s?Q?", charset); | // tainted, untaint language: mail-header |
| to_quoted_printable=true; | // http://www.ietf.org/rfc/rfc2047.txt |
| } | if(charsets) { |
| dest+=sprintf(dest, "=%02X", *src & 0xFF); | size_t mail_size; |
| } else { | const char *mail_ptr= |
| *dest++=*src; | body.mid(fragment_begin, mail_size=fragment_length).cstr(); |
| } | // skip source [we use recoded version] |
| pa_CORD_pos_advance(pos, mail_size); | |
| const char* charset_name=charsets->mail().NAME().cstr(); | |
| // Subject: Re: parser3: =?koi8-r?Q?=D3=C5=CD=C9=CE=C1=D2?= | |
| bool to_quoted_printable=false; | |
| bool email=false; | |
| uchar c; | |
| for(const char* src=mail_ptr; c=(uchar)*src++; ) { | |
| //RFC + An 'encoded-word' MUST NOT appear in any portion of an 'addr-spec'. | |
| if(to_quoted_printable && (c==',' || addr_spec_soon(src) || c == '"')) { | |
| email=c=='<'; | |
| to_string("?="); | |
| to_quoted_printable=false; | |
| } | } |
| if(to_quoted_printable) // close | if(!email && ( |
| dest+=sprintf(dest, "?="); | !to_quoted_printable && (c & 0x80) // starting quote-printable-encoding on first 8bit char |
| } else { | || to_quoted_printable && !mail_header_char_valid_within_Qencoded(c) |
| memcpy(dest, row->item.ptr, row->item.size); | )) { |
| dest+=row->item.size; | if(!to_quoted_printable) { |
| } | to_string("=?"); |
| break; | to_string(charset_name); |
| case UL_TABLE: | to_string("?Q?"); |
| // tainted, untaint language: table | to_quoted_printable=true; |
| escape(switch(*src) { | |
| case '\t': to_char(' '); break; | |
| case '\n': to_char(' '); break; | |
| _default; | |
| }); | |
| break; | |
| case UL_SQL: | |
| // tainted, untaint language: sql | |
| if(connection) | |
| dest+=connection->quote(dest, row->item.ptr, row->item.size); | |
| else | |
| throw Exception(0, 0, | |
| this, | |
| "untaint in SQL language failed - no connection specified"); | |
| break; | |
| case UL_JS: | |
| escape(switch(*src) { | |
| case '"': to_string("\\\"", 2); break; | |
| case '\'': to_string("\\'", 2); break; | |
| case '\n': to_string("\\n", 2); break; | |
| case '\\': to_string("\\\\", 2); break; | |
| case '\xFF': to_string("\\\xFF", 2); break; | |
| _default; | |
| }); | |
| break; | |
| case UL_XML: | |
| escape(switch(*src) { | |
| case '&': to_string("&", 5); break; | |
| case '>': to_string(">", 4); break; | |
| case '<': to_string("<", 4); break; | |
| case '"': to_string(""", 6); break; | |
| case '\'': to_string("'", 6); break; | |
| _default; | |
| }); | |
| break; | |
| case UL_HTML: | |
| escape(switch(*src) { | |
| case '&': to_string("&", 5); break; | |
| case '>': to_string(">", 4); break; | |
| case '<': to_string("<", 4); break; | |
| case '"': to_string(""", 6); break; | |
| _default; | |
| }); | |
| break; | |
| case UL_USER_HTML: { | |
| // tainted, untaint language: html-typo | |
| if(!typo_dict) // never, always has default | |
| throw Exception(0, 0, | |
| this, | |
| "untaint to user-html lang failed, no typo table"); | |
| char *html_for_typo= | |
| (char *)malloc(row->item.size*2/* '\n' -> '\' 'n' */+1,16); | |
| // note: | |
| // there still is a possibility that user | |
| // would not replace \n as she supposed to | |
| // and rather replace \ and n into huge strings | |
| // thus causing memory overrun | |
| // this can be dealed by allocating *2 memory, but that's too expensive | |
| size_t html_for_typo_size; | |
| { // local dest | |
| char *dest=html_for_typo; | |
| escape(switch(*src) { | |
| // convinient name for typo match "\n" | |
| case '\n': | |
| to_string("\\n", 2); | |
| break; | |
| _default; | |
| }); | |
| *dest=0; | |
| html_for_typo_size=dest-html_for_typo; | |
| } | |
| // typo table replacements | |
| const char *src=html_for_typo; | |
| do { | |
| // there is a row where first column starts 'src' | |
| if(Table::Item *item=typo_dict->first_that_starts(src)) { | |
| // get a=>b values | |
| const String& a=*static_cast<Array *>(item)->get_string(0); | |
| const String& b=*static_cast<Array *>(item)->get_string(1); | |
| // overflow check: | |
| // b allowed to be max UNTAINT_TIMES_BIGGER then a | |
| if(b.size()>UNTAINT_TIMES_BIGGER*a.size()) { | |
| pool().set_tag(0); // avoid recursion | |
| throw Exception(0, 0, | |
| &b, | |
| "is %g times longer then '%s', " | |
| "while maximum, handled by Parser, is %d", | |
| ((double)b.size())/a.size(), | |
| a.cstr(), | |
| UNTAINT_TIMES_BIGGER); | |
| } | } |
| encode(mail_header_nonspace_char, '=', '_'); | |
| // skip 'a' in 'src' | |
| src+=a.size(); | |
| // write 'b' to 'dest' | |
| b.store_to(dest); | |
| // skip 'b' in 'dest' | |
| dest+=b.size(); | |
| } else | } else |
| *dest++=*src++; | to_char(c); |
| } while(*src); | if(c=='>') |
| break; | email=false; |
| } | |
| default: | |
| throw Exception(0, 0, | |
| this, | |
| "unknown untaint language #%d of %d piece", | |
| static_cast<int>(row->item.lang), | |
| i); // never | |
| break; // never | |
| } | |
| if((lang==UL_UNSPECIFIED?row->item.lang:lang)!=UL_CLEAN) | |
| whitespace=false; | |
| if(forigins_mode) | |
| if(dest==dest_after_origins) // never moved==optimized space | |
| dest=dest_before_origins; | |
| else { | |
| remove_crlf(dest_after_origins, dest); | |
| to_char('\n'); | |
| } | } |
| if(to_quoted_printable) // close | |
| to_string("?="); | |
| } else | |
| ec_append(result, optimize, whitespace, pos, fragment_length); | |
| break; | |
| case L_TABLE: | |
| // tainted, untaint language: table | |
| escape(switch(c) { | |
| case '\t': to_char(' '); break; | |
| case '\n': to_char(' '); break; | |
| _default; | |
| }); | |
| break; | |
| #ifdef PA_SQL | |
| case L_SQL: | |
| // tainted, untaint language: sql | |
| if(connection) { | |
| const char *fragment_str=body.mid(fragment_begin, fragment_length).cstr(); | |
| // skip source [we use recoded version] | |
| pa_CORD_pos_advance(pos, fragment_length); | |
| to_string(connection->quote(fragment_str, fragment_length)); | |
| } else | |
| throw Exception(0, | |
| 0, | |
| "untaint in SQL language failed - no connection specified"); | |
| break; | |
| #endif | |
| case L_JS: | |
| escape(switch(c) { | |
| case '"': to_string("\\\""); break; | |
| case '\'': to_string("\\'"); break; | |
| case '\n': to_string("\\n"); break; | |
| case '\\': to_string("\\\\"); break; | |
| case '\xFF': to_string("\\\xFF"); break; | |
| _default; | |
| }); | |
| break; | |
| case L_XML: | |
| escape(switch(c) { | |
| case '&': to_string("&"); break; | |
| case '>': to_string(">"); break; | |
| case '<': to_string("<"); break; | |
| case '"': to_string("""); break; | |
| case '\'': to_string("'"); break; | |
| _default; | |
| }); | |
| break; | |
| case L_HTML: | |
| escape(switch(c) { | |
| case '&': to_string("&"); break; | |
| case '>': to_string(">"); break; | |
| case '<': to_string("<"); break; | |
| case '"': to_string("""); break; | |
| _default; | |
| }); | |
| break; | |
| default: | |
| SAPI::die("unknown untaint language #%d", | |
| static_cast<int>(to_lang)); // should never | |
| break; // never | |
| } | } |
| chunk=row->link; | } |
| } while(chunk); | |
| break2: | return StringBody(CORD_ec_to_cord(result)); |
| return dest; | |
| } | } |