X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~yarrgweb/git?p=ypp-sc-tools.db-live.git;a=blobdiff_plain;f=yarrg%2Fweb%2Fqtextstringcheck;h=539abce6a550d8387c0171b845ef20b50b0d651c;hp=3b4fdd7470443e040a09882a1e66eba621c3ac7e;hb=ea09579bdbec295cfe7735a262e06055a1f69835;hpb=13b9f206d92634f4e6f4a940ed31690c1235d827

diff --git a/yarrg/web/qtextstringcheck b/yarrg/web/qtextstringcheck
index 3b4fdd7..539abce 100755
--- a/yarrg/web/qtextstringcheck
+++ b/yarrg/web/qtextstringcheck
@@ -60,12 +60,13 @@ use Scalar::Util qw(blessed);
 
 die if $what =~ m/[^a-z]/;
 my $chk= $m->fetch_comp("check_${what}");
+die "check_$what" unless $chk;
 
 my $mydbh;
 $dbh ||= ($mydbh= dbw_connect($ocean));
 
 my $debugf= !$debug ? sub { } : sub {
-    print "@_\n";
+    print escapeHTML("@_")."\n";
 };
 
 $debugf->("QTSC STRING '$string'");
@@ -105,11 +106,12 @@ if ($chk->method_exists('execute')) {
 			$sth, $sqlstmt_nqs,
 			$chk->attr_exists('abbrev_initials'),
 			$chk->attr('maxambig'),
-			$chk->scall_method("nomatch", spec => $each),
+			$chk->scall_method("nomatch", specq => escerrq($each)),
 			$chk->scall_method("manyambig"),
 			sub {
 				$chk->scall_method("ambiguous",
-					spec => $each, couldbe => $_[0])
+					specq => escerrq($each),
+					couldbe => $_[1])
 			});
 		if (defined $temsg) {
 			$emsg= $temsg;
@@ -129,7 +131,10 @@ $emsg='' if !defined $emsg;
 $debugf->("QTSC EMSG='$emsg' RESULTS='@results'");
 
 if ($format =~ /json/) {
-	$r->content_type($ctype or $format);
+	$ctype ||= $format;
+	die unless grep { $_ eq $ctype }
+		qw(application/json text/plain text/xml);
+	$r->content_type($ctype);
 	my $jobj= {
 		success => 1*!length $emsg,
 		show => (length $emsg      ? $emsg                       :