unescape query arguments during processing
This commit is contained in:
zefie
@@ -3,7 +3,7 @@ if (request_headers.post_data) {
|
||||
if (socket.ssid) {
|
||||
if (ssid_sessions[socket.ssid]) {
|
||||
|
||||
data = ssid_sessions[socket.ssid].getCookieString(unescape(request_headers.query.domain), unescape(request_headers.query.path));
|
||||
data = ssid_sessions[socket.ssid].getCookieString(request_headers.query.domain, request_headers.query.path);
|
||||
headers = "200 OK\n";
|
||||
headers += "Content-Type: text/plain";
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@ var default_build_to_send = minisrv_config.services[service_name].bf0app_default
|
||||
|
||||
var request_path = "";
|
||||
var bf0app_update = true;
|
||||
if (request_headers.query.path) request_path = unescape(request_headers.query.path);
|
||||
if (request_headers.query.path) request_path = request_headers.query.path;
|
||||
else request_path = default_build_to_send;
|
||||
|
||||
if (ssid_sessions[socket.ssid].get("wtv-client-rom-type") == "bf0app" && ssid_sessions[socket.ssid].get("wtv-client-bootrom-version") == "105") {
|
||||
|
||||
@@ -2,7 +2,7 @@ const WTVFlashrom = require("./WTVFlashrom.js");
|
||||
request_is_async = true;
|
||||
|
||||
var bf0app_update = false;
|
||||
var request_path = unescape(request_headers.query.path);
|
||||
var request_path = request_headers.query.path;
|
||||
var romtype = ssid_sessions[socket.ssid].get("wtv-client-rom-type");
|
||||
var bootver = ssid_sessions[socket.ssid].get("wtv-client-bootrom-version")
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ if (!request_headers.query.path) {
|
||||
data = errpage[1];
|
||||
} else {
|
||||
var wtvflashrom = new WTVFlashrom(service_vaults, service_name, minisrv_config.services[service_name].use_zefie_server, minisrv_config.services[service_name].debug);
|
||||
var request_path = unescape(request_headers.query.path);
|
||||
var request_path = request_headers.query.path;
|
||||
|
||||
// read flashrom header info into array using WTVFlashrom class
|
||||
wtvflashrom.getFlashromMeta(request_path, function (data) {
|
||||
|
||||
@@ -11,7 +11,7 @@ var default_build_to_send = minisrv_config.services[service_name].bf0app_default
|
||||
|
||||
var request_path = "";
|
||||
var bf0app_update = true;
|
||||
if (request_headers.query.path) request_path = unescape(request_headers.query.path);
|
||||
if (request_headers.query.path) request_path = request_headers.query.path;
|
||||
else request_path = default_build_to_send;
|
||||
|
||||
if (ssid_sessions[socket.ssid].get("wtv-client-rom-type") == "bf0app" && ssid_sessions[socket.ssid].get("wtv-client-bootrom-version") == "105") {
|
||||
|
||||
@@ -4,7 +4,7 @@ wtv-expire-all: wtv-home:/splash
|
||||
wtv-expire-all: wtv-flashrom:
|
||||
Content-type: text/html`
|
||||
|
||||
if (request_headers.query.url) headers += "\nwtv-visit: " + unescape(request_headers.query.url);
|
||||
if (request_headers.query.url) headers += "\nwtv-visit: " + request_headers.query.url;
|
||||
|
||||
if (ssid_sessions[socket.ssid].get('box-does-psuedo-encryption')) {
|
||||
var cryptstatus = "<a href='client:showalert?message=Your%20WebTV%20Unit%20sent%20us%20a%20request%20for%20SECURE%20ON%2C%20but%20did%20not%20encrypt%20any%20data%2C%20nor%20will%20accept%20it.%20However%2C%20we%20send%20the%20wtv-encryption%20flag%20to%20roll%20with%20it%2C%20enabling%20%27psuedo-encryption%27.%20Nothing%20is%20encrypted%2C%20but%20the%20box%20trusts%20us.%20This%20will%20probably%20go%20away%20if%20you%20reload%20or%20change%20pages.&buttonaction1=client:donothing&buttonlabel1=Oh%2C%20okay...'>Psuedo-encrypted</a>";
|
||||
@@ -56,7 +56,7 @@ if (ssid_sessions[socket.ssid].hasCap("client-can-do-javascript")) {
|
||||
data += `<li><input name=url `;
|
||||
|
||||
if (request_headers.query.url) {
|
||||
data += "value='" + unescape(request_headers.query.url) + "'";
|
||||
data += "value='" + request_headers.query.url + "'";
|
||||
}
|
||||
|
||||
data += `width=250 height=10 bgcolor=#444444 text=#ffdd33 cursor=#cc9933>
|
||||
|
||||
@@ -15,7 +15,7 @@ Content-length: 0`;
|
||||
|
||||
var logdata_outstring = '';
|
||||
Object.keys(request_headers.query).forEach(function (k) {
|
||||
logdata_outstring += k + "=" + unescape(request_headers.query[k].toString()) + "\r\n";
|
||||
logdata_outstring += k + "=" + request_headers.query[k].toString() + "\r\n";
|
||||
});
|
||||
logdata_outstring += "\r\n";
|
||||
var logdata_outstring_hex = Buffer.from(logdata_outstring, 'utf8').toString('hex');
|
||||
@@ -36,7 +36,7 @@ Content-length: 0`;
|
||||
|
||||
var logdata_outstring = '';
|
||||
Object.keys(request_headers.query).forEach(function (k) {
|
||||
logdata_outstring += k + "=" + unescape(request_headers.query[k].toString()) + "\r\n";
|
||||
logdata_outstring += k + "=" + request_headers.query[k].toString() + "\r\n";
|
||||
});
|
||||
var logdata_outstring_hex = Buffer.from(logdata_outstring, 'utf8').toString('hex');
|
||||
if (minisrv_config.services[service_name].write_logs_to_disk) {
|
||||
|
||||
@@ -10,9 +10,9 @@ if (!request_headers.query.registering) {
|
||||
if (!request_headers.query.registering) errpage = doErrorPage(400);
|
||||
else if (!request_headers.query.subscriber_name) errpage = doErrorPage(400, "Please enter your name. This can be your real name, or your well-known online alias.");
|
||||
else if (!request_headers.query.subscriber_username) errpage = doErrorPage(400, "Please enter a username.");
|
||||
else if (unescape(request_headers.query.subscriber_username).length < 5) errpage = doErrorPage(400, "Please choose a username with 5 or more characters.");
|
||||
else if (unescape(request_headers.query.subscriber_username).length > 16) errpage = doErrorPage(400, "Please choose a username with 16 or less characters.");
|
||||
else if (!WTVRegister.checkUsernameSanity(unescape(request_headers.query.subscriber_username))) errpage = doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
|
||||
else if (request_headers.query.subscriber_username.length < 5) errpage = doErrorPage(400, "Please choose a username with 5 or more characters.");
|
||||
else if (request_headers.query.subscriber_username.length > 16) errpage = doErrorPage(400, "Please choose a username with 16 or less characters.");
|
||||
else if (!WTVRegister.checkUsernameSanity(request_headers.query.subscriber_username)) errpage = doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
|
||||
else if (!WTVRegister.checkUsernameAvailable(request_headers.query.subscriber_username, ssid_sessions)) errpage = doErrorPage(400, "The username you have selected is already in use. Please select another username.");
|
||||
else if (!request_headers.query.subscriber_contact) errpage = doErrorPage(400, "Please enter your contact information.");
|
||||
else if (request_headers.query.subscriber_contact_method == "") errpage = doErrorPage(400, "Please select the type of contact information you provided.");
|
||||
@@ -64,10 +64,10 @@ Review account info
|
||||
<td border=0 abswidth=40 bgcolor="#171726" rowspan="6" >
|
||||
<form ACTION="ValidateReviewAccountInfo" ENCTYPE="x-www-form-encoded" METHOD="POST">
|
||||
<input type=hidden name=registering value="true">
|
||||
<input type=hidden name=subscriber_name value="${unescape(request_headers.query.subscriber_name)}">
|
||||
<input type=hidden name=subscriber_username value="${unescape(request_headers.query.subscriber_username)}">
|
||||
<input type=hidden name=subscriber_contact value="${unescape(request_headers.query.subscriber_contact)}">
|
||||
<input type=hidden name=subscriber_contact_method value="${unescape(request_headers.query.subscriber_contact_method)}">
|
||||
<input type=hidden name=subscriber_name value="${request_headers.query.subscriber_name}">
|
||||
<input type=hidden name=subscriber_username value="${request_headers.query.subscriber_username}">
|
||||
<input type=hidden name=subscriber_contact value="${request_headers.query.subscriber_contact}">
|
||||
<input type=hidden name=subscriber_contact_method value="${request_headers.query.subscriber_contact_method}">
|
||||
<td height=50 width= 300 bgcolor="#171726" colspan=6 valign=top align=left>
|
||||
Here is your account information. If you need to<br>
|
||||
correct an item, press <b>Back</b>.
|
||||
@@ -76,24 +76,24 @@ correct an item, press <b>Back</b>.
|
||||
<td width=260 valign=top align=left colspan=4>
|
||||
<table cellspacing=0 cellpadding=0 border=0 >
|
||||
<img src="images/arrow.gif"> <font size=-2><b>NAME</b></font><br>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17> ${unescape(request_headers.query.subscriber_name)}</font></tt></a>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17> ${request_headers.query.subscriber_name}</font></tt></a>
|
||||
</table>
|
||||
<p>
|
||||
<table cellspacing=0 cellpadding=0 border=0>
|
||||
<img src="images/arrow.gif"> <font size=-2><b>CONTACT</b></font><br>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17> ${unescape(request_headers.query.subscriber_contact)}</font></tt></a>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17> ${request_headers.query.subscriber_contact}</font></tt></a>
|
||||
</table>
|
||||
</TD>
|
||||
<td abswidth=200 bgcolor=#171726 valign=top align=left>
|
||||
<table cellspacing=0 cellpadding=0 border=0> <TR><TD>
|
||||
<img src="images/arrow.gif"><font size=-2> <b>USERNAME</b></font><br>
|
||||
<tr><td maxlines=1 >
|
||||
<tt><font color=#d1d3d3><spacer type=horizontal size=17>${unescape(request_headers.query.subscriber_name)}</font></tt></a>
|
||||
<tt><font color=#d1d3d3><spacer type=horizontal size=17>${request_headers.query.subscriber_name}</font></tt></a>
|
||||
</table>
|
||||
<p>
|
||||
<table cellspacing=0 cellpadding=0 border=0>
|
||||
<img src="images/arrow.gif"> <font size=-2><b>CONTACT TYPE</b></font><br>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17>${unescape(request_headers.query.subscriber_contact_method)}</font></tt>
|
||||
<tt><font color=#d1d3d3 size=-2><spacer type=horizontal size=17>${request_headers.query.subscriber_contact_method}</font></tt>
|
||||
</table> <P> <P>
|
||||
<td abswidth=20 bgcolor=#171726 >
|
||||
</tr>
|
||||
|
||||
@@ -11,10 +11,10 @@ if (!request_headers.query.registering ||
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
} else {
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_name", unescape(request_headers.query.subscriber_name));
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_username", unescape(request_headers.query.subscriber_username));
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_contact", unescape(request_headers.query.subscriber_contact));
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_contact_method", unescape(request_headers.query.subscriber_contact_method));
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_name", request_headers.query.subscriber_name);
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_username", request_headers.query.subscriber_username);
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_contact", request_headers.query.subscriber_contact);
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method);
|
||||
ssid_sessions[socket.ssid].setSessionData("subscriber_userid", '1' + Math.floor(Math.random() * 1000000000000000000));
|
||||
ssid_sessions[socket.ssid].setSessionData("registered", true);
|
||||
if (!ssid_sessions[socket.ssid].storeSessionData()) {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
// Allow URL access outside our trusted minisrv
|
||||
|
||||
if (request_headers.query.url) var url = unescape(request_headers.query.url);
|
||||
if (request_headers.query.url) var url = request_headers.query.url;
|
||||
else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
|
||||
|
||||
headers = `200 OK
|
||||
|
||||
@@ -6,7 +6,7 @@ Content-type: text/html`
|
||||
var visit_url = null;
|
||||
|
||||
if (request_headers.Referer) visit_url = request_headers.Referer;
|
||||
else if (request_headers.query.return_to) visit_url = unescape(request_headers.query.return_to);
|
||||
else if (request_headers.query.return_to) visit_url = request_headers.query.return_to;
|
||||
else visit_url = "client:goback";
|
||||
|
||||
data = `<html>
|
||||
|
||||
Reference in New Issue
Block a user