6440839 1) The old code used a CGI variable called completion_javascript - this variable contained arbitrary javascript code that was eval'd on in the client browser. I have removed this code and put it in the resource file. The dsgw code will set completion_javascript to one of the 3 keywords, and the new function emit_completion_javascript will look up the code in the resource file and output it with any required arguments. It just seems like a really bad idea to execute arbitrary blobs of javascript passed in a CGI argument.

Authored and Committed by rmeggins 13 years ago
38 files changed. 159 lines added. 36 lines removed.
    1) The old code used a CGI variable called completion_javascript - this variable contained arbitrary javascript code that was eval'd on in the client browser.  I have removed this code and put it in the resource file.  The dsgw code will set completion_javascript to one of the 3 keywords, and the new function emit_completion_javascript will look up the code in the resource file and output it with any required arguments.  It just seems like a really bad idea to execute arbitrary blobs of javascript passed in a CGI argument.
    
    2) Make the checking for the template file names stricter.
    
    3) Added many new tests.
    
    4) When removing unused or duplicate LDAP Mods, if we remove the last one, just free the entire array.
    
        
file modified
+15 -0
file modified
+11 -1
file modified
+8 -1
file modified
+3 -1
file modified
+1 -2
file modified
+1 -1
file modified
+6 -9
file modified
+56 -0
file modified
+2 -2
empty file added
empty file added
file modified
+17 -17