Changeset 3219 for trunk/lib/MT/App.pm
- Timestamp:
- 12/03/08 07:58:25 (12 months ago)
- Files:
-
- 1 modified
-
trunk/lib/MT/App.pm (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/MT/App.pm
r3082 r3219 1974 1974 1975 1975 $url = $q->param('url'); 1976 if ( $url && !is_url($url) ) {1976 if ( $url && (!is_url($url) || ($url =~ m/[<>]/)) ) { 1977 1977 return $app->error( $app->translate("URL is invalid.") ); 1978 1978 } … … 1987 1987 return $app->error( $app->translate("User requires username.") ); 1988 1988 } 1989 if ( $name =~ m/([<>])/) { 1990 return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Username"), encode_html( $1 ) ) ); 1991 } 1989 1992 1990 1993 my $existing = MT::Author->exist( { name => $name } ); … … 1996 1999 unless ($nickname) { 1997 2000 return $app->error( $app->translate("User requires display name.") ); 2001 } 2002 if ( $nickname =~ m/([<>])/) { 2003 return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Display Name"), encode_html( $1 ) ) ); 1998 2004 } 1999 2005 … … 2004 2010 return $app->error( 2005 2011 $app->translate("Email Address is invalid.") ); 2012 } 2013 2014 if ( $email =~ m/([<>])/) { 2015 return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Email Address"), encode_html( $1 ) ) ); 2006 2016 } 2007 2017 } … … 2399 2409 my $url = $app->uri; 2400 2410 my $blog_id = $app->param('blog_id'); 2411 2401 2412 if ( ref $param ne 'HASH' ) { 2402 2403 2413 # old scalar signature 2404 2414 $param = { error => $param }; 2405 2415 } 2406 2416 2407 if ( $MT::DebugMode && $@ ) { 2408 $param->{error} = '<pre>' . encode_html( $param->{error} ) . '</pre>'; 2417 my $error = $param->{error}; 2418 2419 if ( $MT::DebugMode ) { 2420 if ( $@ ) { 2421 # Use 'pre' tag to wrap Perl error 2422 $error = '<pre>' . encode_html( $error ) . '</pre>'; 2423 } 2409 2424 } 2410 2425 else { 2411 $param->{error} = encode_html( $param->{error} ); 2412 $param->{error} 2426 if ($error =~ m/^(.+?)( at .+? line \d+)(.*)$/s) { 2427 # Hide any module path info from perl error message 2428 # Information could be revealing info about where MT app 2429 # resides on server, and what version is being used, which 2430 # may be helpful forensics to an attacker. 2431 $error = $1; 2432 } 2433 $error = encode_html( $error ); 2434 $error 2413 2435 =~ s!(https?://\S+)!<a href="$1" target="_blank">$1</a>!g; 2414 2436 } 2415 $tmpl = $app->load_tmpl('error.tmpl') 2416 or return "Can't load error template; got error '" 2417 . encode_html( $app->errstr ) 2418 . "'. Giving up. Original error was <pre>$param->{error}</pre>"; 2437 2438 $tmpl = $app->load_tmpl('error.tmpl'); 2439 if (!$tmpl) { 2440 $error = '<pre>' . $error . '</pre>' unless $error =~ m/<pre>/; 2441 return "Can't load error template; got error '" 2442 . encode_html( $app->errstr ) 2443 . "'. Giving up. Original error was: $error"; 2444 } 2419 2445 my $type = $app->param('__type') || ''; 2420 2446 if ( $type eq 'dialog' ) { … … 2428 2454 $param->{value} ||= $app->{value} || $app->translate("Go Back"); 2429 2455 } 2456 local $param->{error} = $error; 2430 2457 $tmpl->param($param); 2431 2458 my $out = $tmpl->output; 2432 2459 if ( !defined $out ) { 2460 $error = '<pre>' . $error . '</pre>' unless $error =~ m/<pre>/; 2433 2461 return 2434 2462 "Can't build error template; got error '" 2435 2463 . encode_html( $tmpl->errstr ) 2436 . "'. Giving up. Original error was <pre>$param->{error}</pre>";2464 . "'. Giving up. Original error was: $error"; 2437 2465 } 2438 2466 return $app->l10n_filter($out);
