X-Git-Url: https://git.cyclocoop.org/%7Bplugin_url%20file=%24css%7D?a=blobdiff_plain;f=poll.pm;fp=poll.pm;h=b79fd0e0be1280712ea1fc78173c9df3ba4ce6ab;hb=2af402570220c582546515129925f9dadcc155ec;hp=612b49d1fb2bc4505cf349207517fe7dea494851;hpb=d5fce9d5efc06ee69f7abce3fe64b7c144c9b6c3;p=ikiwiki%2Fpoll.git
diff --git a/poll.pm b/poll.pm
index 612b49d..b79fd0e 100644
--- a/poll.pm
+++ b/poll.pm
@@ -22,6 +22,22 @@ sub getsetup () {
, section => "widget"
};
}
+my $params_re
+ = qr{
+ (?>
+ (?>(?:[^\[\]]|\[[^\[]|\][^\]])+)
+ |
+ (?'loop'
+ \[\[
+ (?>
+ (?>(?:[^\[\]]|\[[^\[]|\][^\]])+)
+ |
+ (?&loop)
+ )*
+ \]\]
+ )
+ )*
+ }x;
sub scan (@) {
my %params = @_;
my $page = $params{page};
@@ -30,7 +46,7 @@ sub scan (@) {
my $type = IkiWiki::pagetype($pagesources{$page});
if (defined $type and $type eq "mdwn") {
my %polls = ();
- while ($content =~ m{(\\?)\[\[\Q$prefix\E(\s+id="([^"]*)")?\s+(.+?)\s*\]\]}gs) {
+ while ($content =~ m{(\\?)\[\[\Q$prefix\E(\s+id="([^"]*)")?\s+($params_re)\s*\]\]}gs) {
my ($escape, $poll, $directive) = ($1, $3, $4);
next if $escape;
$poll = '' unless defined $poll;
@@ -119,10 +135,11 @@ sub preprocess (@) {
if $choices{$choice}{unknown_votes};
}
if ($open && exists $config{cgiurl}) {
+ my $choice_escaped = URI::Escape::uri_escape_utf8($choice, '^A-Za-z0-9\ \-\._~/');
$ret.="\n";
$ret.="\n";
$ret.="\n";
- $ret.="\n";
+ $ret.="\n";
$ret.="\n";
}
$ret.="$choice";
@@ -156,7 +173,8 @@ sub sessioncgi ($$) {
my $cgi=shift;
my $session=shift;
if (defined $cgi->param('do') && $cgi->param('do') eq "poll") {
- my $choice=decode_utf8($cgi->param('choice'));
+ my $choice = Encode::decode_utf8(URI::Escape::uri_unescape(IkiWiki::possibly_foolish_untaint($cgi->param('choice'))));
+
if (! defined $choice || not length $choice) {
error("no choice specified");
}
@@ -239,7 +257,25 @@ sub sessioncgi ($$) {
return "$params";
};
my $id='';
- $content =~ s{(\\?)\[\[\Q$prefix\E(\s+id="([^"]*)")?(\s+)(.+?)(\s*)\]\]}{$id=$3;$1.'[['.$prefix.$2.$4.$edit->($1, $5).$6.']]'}gse;
+ $content =~
+ s{
+ (?\\?)
+ \[\[\Q$prefix\E
+ (?:\s+id="(?[^"]*)")?
+ (?\s+)
+ (?$params_re)
+ (?\s*)
+ \]\]
+ }
+ {$id=$+{id};
+ $+{escape}
+ .'[['.$prefix
+ .($+{id} eq ''?'':'id="'.$+{id}.'"')
+ .$+{space_begin}
+ .$edit->($+{escape}, $+{params})
+ .$+{space_end}
+ .']]'
+ }egsx;
# Store their vote, update the page, and redirect to it.
writefile($pagesources{$page}, $config{srcdir}, $content);