X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~yarrgweb/git?p=ypp-sc-tools.db-test.git;a=blobdiff_plain;f=yarrg%2Fweb%2Fqtextstringcheck;h=0a75f8e9b6ae71be9f50117c542733c9ce71e787;hp=4adb606ea0b2c3e25dc8251dac335a47ee24e7e6;hb=b14effcf3ea7900eb4198f6e50112da751f29add;hpb=422fab9f34f08090bca02f67cb41bba31f816c7e

diff --git a/yarrg/web/qtextstringcheck b/yarrg/web/qtextstringcheck
index 4adb606..0a75f8e 100755
--- a/yarrg/web/qtextstringcheck
+++ b/yarrg/web/qtextstringcheck
@@ -65,7 +65,7 @@ my $mydbh;
 $dbh ||= ($mydbh= dbw_connect($ocean));
 
 my $debugf= !$debug ? sub { } : sub {
-    print "@_\n";
+    print escapeHTML("@_")."\n";
 };
 
 $debugf->("QTSC STRING '$string'");
@@ -95,7 +95,7 @@ if ($chk->method_exists('execute')) {
 	my $sqlstmt_nqs= @sqlstmt_nqs;
 
 	my @specs= $chk->attr('multiple')
-		? (split m#[/|,]#, $string)
+		? (split m#\s*[/|,]\s*#, $string)
 		: ($string);
 
 	foreach my $each (@specs) {
@@ -105,11 +105,12 @@ if ($chk->method_exists('execute')) {
 			$sth, $sqlstmt_nqs,
 			$chk->attr_exists('abbrev_initials'),
 			$chk->attr('maxambig'),
-			$chk->scall_method("nomatch", spec => $each),
+			$chk->scall_method("nomatch", specq => escerrq($each)),
 			$chk->scall_method("manyambig"),
 			sub {
 				$chk->scall_method("ambiguous",
-					spec => $each, couldbe => $_[0])
+					specq => escerrq($each),
+					couldbe => $_[1])
 			});
 		if (defined $temsg) {
 			$emsg= $temsg;
@@ -129,7 +130,10 @@ $emsg='' if !defined $emsg;
 $debugf->("QTSC EMSG='$emsg' RESULTS='@results'");
 
 if ($format =~ /json/) {
-	$r->content_type($ctype or $format);
+	$ctype ||= $format;
+	die unless grep { $_ eq $ctype }
+		qw(application/json text/plain text/xml);
+	$r->content_type($ctype);
 	my $jobj= {
 		success => 1*!length $emsg,
 		show => (length $emsg      ? $emsg                       :