zydronium/screwturn-4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed issue in log message sanitization in SQL Server Settings Storage Provider.

Browse source
This commit is contained in:
Dario Solera 2009-12-09 16:21:08 +00:00
parent aab14b7941
commit 2366273754
2 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

16
SqlProvidersCommon/SqlSettingsStorageProviderBase.cs
View file

@ -228,6 +228,18 @@ namespace ScrewTurn.Wiki.Plugins.SqlCommon {
} }
} }
/// <summary>
/// Sanitizes a stiring from all unfriendly characters.
/// </summary>
/// <param name="input">The input string.</param>
/// <returns>The sanitized result.</returns>
private static string Sanitize(string input) {
StringBuilder sb = new StringBuilder(input);
sb.Replace("<", "&lt;");
sb.Replace(">", "&gt;");
return sb.ToString();
}
/// <summary> /// <summary>
/// Records a message to the System Log. /// Records a message to the System Log.
/// </summary> /// </summary>
@ -253,8 +265,8 @@ namespace ScrewTurn.Wiki.Plugins.SqlCommon {
List<Parameter> parameters = new List<Parameter>(4); List<Parameter> parameters = new List<Parameter>(4);
parameters.Add(new Parameter(ParameterType.DateTime, "DateTime", DateTime.Now)); parameters.Add(new Parameter(ParameterType.DateTime, "DateTime", DateTime.Now));
parameters.Add(new Parameter(ParameterType.Char, "EntryType", EntryTypeToChar(entryType))); parameters.Add(new Parameter(ParameterType.Char, "EntryType", EntryTypeToChar(entryType)));
parameters.Add(new Parameter(ParameterType.String, "User", user)); parameters.Add(new Parameter(ParameterType.String, "User", Sanitize(user)));
parameters.Add(new Parameter(ParameterType.String, "Message", message)); parameters.Add(new Parameter(ParameterType.String, "Message", Sanitize(message)));
try { try {
DbCommand command = builder.GetCommand(connString, query, parameters); DbCommand command = builder.GetCommand(connString, query, parameters);

2
SqlServerProviders/SqlServerSettingsStorageProvider.cs
View file

@ -13,7 +13,7 @@ namespace ScrewTurn.Wiki.Plugins.SqlServer {
/// </summary> /// </summary>
public class SqlServerSettingsStorageProvider : SqlSettingsStorageProviderBase { public class SqlServerSettingsStorageProvider : SqlSettingsStorageProviderBase {
private readonly ComponentInformation info = new ComponentInformation("SQL Server Settings Storage Provider", "ScrewTurn Software", "3.0.0.341", "http://www.screwturn.eu", "http://www.screwturn.eu/Version/SQLServerProv/Settings.txt"); private readonly ComponentInformation info = new ComponentInformation("SQL Server Settings Storage Provider", "ScrewTurn Software", "3.0.0.441", "http://www.screwturn.eu", "http://www.screwturn.eu/Version/SQLServerProv/Settings.txt");
private readonly SqlServerCommandBuilder commandBuilder = new SqlServerCommandBuilder(); private readonly SqlServerCommandBuilder commandBuilder = new SqlServerCommandBuilder();