X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/chopwood/blobdiff_plain/58b2af638cde9ecd0a842fffbcb76cc8c42663ea..d6b72d90e658140961b040e53c009d82fa0f11c9:/cgi.py

diff --git a/cgi.py b/cgi.py
index 0630feb..3b3d441 100644
--- a/cgi.py
+++ b/cgi.py
@@ -59,7 +59,7 @@ CONF.DEFAULTS.update(
 ## Some handy regular expressions.
 R_URLESC = RX.compile('%([0-9a-fA-F]{2})')
 R_URLBAD = RX.compile('[^-\\w,.!]')
-R_HTMLBAD = RX.compile('[&<>]')
+R_HTMLBAD = RX.compile('[&<>\'"]')
 
 def urldecode(s):
   """Decode a single form-url-encoded string S."""
@@ -77,17 +77,18 @@ def htmlescape(s):
 
 ## Some standard character sequences, and HTML entity names for prettier
 ## versions.
-_quotify = U.StringSubst({
+html_quotify = U.StringSubst({
+  "<": '&lt;',
+  ">": '&gt;',
+  "&": '&amp;',
   "`": '&lsquo;',
   "'": '&rsquo;',
+  '"': '&quot;',
   "``": '&ldquo;',
   "''": '&rdquo;',
   "--": '&ndash;',
   "---": '&mdash;'
 })
-def html_quotify(s):
-  """Return a pretty HTML version of S."""
-  return _quotify(htmlescape(s))
 
 ###--------------------------------------------------------------------------
 ### Output machinery.
@@ -145,7 +146,7 @@ def cookie(name, value, **kw):
                                  T.gmtime(U.NOW + maxage))
   return '; '.join(['%s=%s' % (urlencode(name), urlencode(value))] +
                    [v is not True and '%s=%s' % (k, v) or k
-                    for k, v in attr.iteritems()])
+                    for k, v in attr.iteritems() if v])
 
 def action(*v, **kw):
   """
@@ -229,7 +230,7 @@ class FormatHTML (F.SimpleFormatOperation):
   """
   ~H: escape output suitable for inclusion in HTML.
 
-  With `:', instead apply form-urlencoding.
+  With `:', additionally apply quotification.
   """
   def _convert(me, arg):
     if me.colonp: return html_quotify(arg)
@@ -264,7 +265,7 @@ def cgi_errors(hook = None):
     if hook: hook()
     if isinstance(e, U.ExpectedError) and not OUT.headerp:
       page('error.fhtml',
-           headers = dict(status = e.code),
+           header = dict(status = e.code),
            title = 'Chopwood: error', error = e)
     else:
       exty, exval, extb = SYS.exc_info()
@@ -278,7 +279,7 @@ def cgi_errors(hook = None):
           format_tmpl(TMPL['exception.fhtml'], toplevel = False)
         else:
           page('exception.fhtml',
-               headers = dict(status = 500),
+               header = dict(status = 500),
                title = 'Chopwood: internal error',
                toplevel = True)
 
@@ -291,6 +292,7 @@ SPECIAL = {}
 PARAM = []
 PARAMDICT = {}
 PATH = []
+SSLP = False
 
 ## Regular expressions for splitting apart query and cookie strings.
 R_QSPLIT = RX.compile('[;&]')
@@ -346,8 +348,13 @@ def cgiparse():
   `PATH'
         The trailing `PATH_INFO' path, split at `/' markers, with any
         trailing empty component removed.
+
+  `SSLP'
+        True if the client connection is carried over SSL or TLS.
   """
 
+  global SSLP
+
   def getenv(var):
     try: return ENV[var]
     except KeyError: raise U.ExpectedError, (500, "No `%s' supplied" % var)
@@ -402,6 +409,10 @@ def cgiparse():
     if pp and not pp[-1]: pp.pop()
     PATH[:] = pp
 
+  ## Check the crypto for the connection.
+  if ENV.get('SSL_PROTOCOL'):
+    SSLP = True
+
 ###--------------------------------------------------------------------------
 ### CGI subcommands.