diff options
| author |  Adam Chlipala <adam@chlipala.net> | 2010-08-10 15:55:43 -0400 |
|---|---|---|
| committer | Adam Chlipala <adam@chlipala.net> | 2010-08-10 15:55:43 -0400 |
| commit | 06f9a1fcbb40856fae744e49be3bf0e166246293 (patch) | |
| tree | 407556eab027f66694f1ddc3a0d4c1813e1b120f | |
| parent | 55a669bc95cb2831f5a4fc084d2aa828863a1f07 (diff) | |
Better UTF-8 escaping for JavaScript and SQL literals
| -rw-r--r-- | src/cjr_print.sml | 8 | ||||
| -rw-r--r-- | src/jscomp.sml | 2 | ||||
| -rw-r--r-- | src/mysql.sml | 14 | ||||
| -rw-r--r-- | src/postgres.sml | 20 | ||||
| -rw-r--r-- | src/sqlite.sml | 27 | ||||
| -rw-r--r-- | src/urweb.lex | 2 |
6 files changed, 34 insertions, 39 deletions
diff --git a/src/cjr_print.sml b/src/cjr_print.sml index 34936aac..412531a6 100644 --- a/src/cjr_print.sml +++ b/src/cjr_print.sml @@ -2128,7 +2128,7 @@ fun p_decl env (dAll as (d, _) : decl) = | DPreparedStatements _ => box [] | DJavaScript s => box [string "static char jslib[] = \"", - string (String.toString s), + string (String.toCString s), string "\";"] | DCookie s => box [string "/*", space, @@ -2585,7 +2585,7 @@ fun p_file env (ds, ps) = prefix ^ s in box [string "if (!strncmp(request, \"", - string (String.toString s), + string (String.toCString s), string "\", ", string (Int.toString (size s)), string ") && (request[", @@ -2761,10 +2761,10 @@ fun p_file env (ds, ps) = box [string "if (!str", case #kind rule of Settings.Exact => box [string "cmp(s, \"", - string (String.toString (#pattern rule)), + string (String.toCString (#pattern rule)), string "\"))"] | Settings.Prefix => box [string "ncmp(s, \"", - string (String.toString (#pattern rule)), + string (String.toCString (#pattern rule)), string "\", ", string (Int.toString (size (#pattern rule))), string "))"], diff --git a/src/jscomp.sml b/src/jscomp.sml index 4b04194c..f97725eb 100644 --- a/src/jscomp.sml +++ b/src/jscomp.sml @@ -435,7 +435,7 @@ fun process file = | #"\r" => "\\r" | #"\t" => "\\t" | ch => - if Char.isPrint ch then + if Char.isPrint ch orelse ord ch >= 128 then String.str ch else "\\" ^ padWith (#"0", diff --git a/src/mysql.sml b/src/mysql.sml index fa49ced3..12d52255 100644 --- a/src/mysql.sml +++ b/src/mysql.sml @@ -344,7 +344,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = fun stringOf r = case !r of NONE => string "NULL" | SOME s => box [string "\"", - string (String.toString s), + string (String.toCString s), string "\""] in app (fn s => @@ -477,7 +477,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = newline, string "if (mysql_stmt_prepare(stmt, \"", - string (String.toString s), + string (String.toCString s), string "\", ", string (Int.toString (size s)), string ")) {", @@ -974,7 +974,7 @@ fun queryPrepared {loc, id, query, inputs, cols, doCols, nested} = else box [], string "if (mysql_stmt_prepare(stmt, \"", - string (String.toString query), + string (String.toCString query), string "\", ", string (Int.toString (size query)), string ")) {", @@ -1185,7 +1185,7 @@ fun queryPrepared {loc, id, query, inputs, cols, doCols, nested} = newline, queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"", - string (String.toString query), + string (String.toCString query), string "\""]}, if nested then @@ -1276,7 +1276,7 @@ fun dmlPrepared {loc, id, dml, inputs} = string "if (stmt == NULL) uw_error(ctx, FATAL, \"Out of memory allocating prepared statement\");", newline, string "if (mysql_stmt_prepare(stmt, \"", - string (String.toString dml), + string (String.toCString dml), string "\", ", string (Int.toString (size dml)), string ")) {", @@ -1470,7 +1470,7 @@ fun dmlPrepared {loc, id, dml, inputs} = newline, dmlCommon {loc = loc, dml = box [string "\"", - string (String.toString dml), + string (String.toCString dml), string "\""]}] fun nextval {loc, seqE, seqName} = @@ -1514,7 +1514,7 @@ fun sqlifyString s = "'" ^ String.translate (fn #"'" => "\\'" (ErrorMsg.error "Non-printing character found in SQL string literal"; "")) - (String.toString s) ^ "'" + (String.toCString s) ^ "'" fun p_cast (s, _) = s diff --git a/src/postgres.sml b/src/postgres.sml index 8541ca4a..12e928c5 100644 --- a/src/postgres.sml +++ b/src/postgres.sml @@ -331,7 +331,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = box [string "res = PQprepare(conn, \"uw", string (Int.toString i), string "\", \"", - string (String.toString s), + string (String.toCString s), string "\", ", string (Int.toString n), string ", NULL);", @@ -349,7 +349,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = string "PQfinish(conn);", newline, string "uw_error(ctx, FATAL, \"Unable to create prepared statement:\\n", - string (String.toString s), + string (String.toCString s), string "\\n%s\", msg);", newline], string "}", @@ -473,7 +473,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = string "static void uw_db_init(uw_context ctx) {", newline, string "PGconn *conn = PQconnectdb(\"", - string (String.toString dbstring), + string (String.toCString dbstring), string "\");", newline, string "if (conn == NULL) uw_error(ctx, FATAL, ", @@ -698,14 +698,14 @@ fun queryPrepared {loc, id, query, inputs, cols, doCols, nested = _} = string ", paramValues, paramLengths, paramFormats, 0);"] else box [string "PQexecParams(conn, \"", - string (String.toString query), + string (String.toCString query), string "\", ", string (Int.toString (length inputs)), string ", NULL, paramValues, paramLengths, paramFormats, 0);"], newline, newline, queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"", - string (String.toString query), + string (String.toCString query), string "\""]}] fun dmlCommon {loc, dml} = @@ -779,14 +779,14 @@ fun dmlPrepared {loc, id, dml, inputs} = string ", paramValues, paramLengths, paramFormats, 0);"] else box [string "PQexecParams(conn, \"", - string (String.toString dml), + string (String.toCString dml), string "\", ", string (Int.toString (length inputs)), string ", NULL, paramValues, paramLengths, paramFormats, 0);"], newline, newline, dmlCommon {loc = loc, dml = box [string "\"", - string (String.toString dml), + string (String.toCString dml), string "\""]}] fun nextvalCommon {loc, query} = @@ -863,12 +863,12 @@ fun nextvalPrepared {loc, id, query} = string "\", 0, NULL, NULL, NULL, 0);"] else box [string "PQexecParams(conn, \"", - string (String.toString query), + string (String.toCString query), string "\", 0, NULL, NULL, NULL, NULL, 0);"], newline, newline, nextvalCommon {loc = loc, query = box [string "\"", - string (String.toString query), + string (String.toCString query), string "\""]}] fun setvalCommon {loc, query} = @@ -921,7 +921,7 @@ fun sqlifyString s = "E'" ^ String.translate (fn #"'" => "\\'" else "\\" ^ StringCvt.padLeft #"0" 3 (Int.fmt StringCvt.OCT (ord ch))) - (String.toString s) ^ "'::text" + (String.toCString s) ^ "'::text" fun p_cast (s, t) = s ^ "::" ^ p_sql_type t diff --git a/src/sqlite.sml b/src/sqlite.sml index d628da16..74093f21 100644 --- a/src/sqlite.sml +++ b/src/sqlite.sml @@ -230,7 +230,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = newline] in box [string "if (sqlite3_prepare_v2(conn->conn, \"", - string (String.toString s), + string (String.toCString s), string "\", -1, &conn->p", string (Int.toString i), string ", NULL) != SQLITE_OK) {", @@ -242,7 +242,7 @@ fun init {dbstring, prepared = ss, tables, views, sequences} = string "msg[1023] = 0;", newline, uhoh false ("Error preparing statement: " - ^ String.toString s ^ "<br />%s") ["msg"]], + ^ String.toCString s ^ "<br />%s") ["msg"]], string "}", newline] end) @@ -651,9 +651,9 @@ fun queryPrepared {loc, id, query, inputs, cols, doCols, nested} = newline], string "if (sqlite3_prepare_v2(conn->conn, \"", - string (String.toString query), + string (String.toCString query), string "\", -1, &stmt, NULL) != SQLITE_OK) uw_error(ctx, FATAL, \"Error preparing statement: ", - string (String.toString query), + string (String.toCString query), string "<br />%s\", sqlite3_errmsg(conn->conn));", newline, if nested then @@ -677,7 +677,7 @@ fun queryPrepared {loc, id, query, inputs, cols, doCols, nested} = newline, queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"", - string (String.toString query), + string (String.toCString query), string "\""]}, string "uw_pop_cleanup(ctx);", @@ -739,9 +739,9 @@ fun dmlPrepared {loc, id, dml, inputs} = string "if (stmt == NULL) {", newline, box [string "if (sqlite3_prepare_v2(conn->conn, \"", - string (String.toString dml), + string (String.toCString dml), string "\", -1, &stmt, NULL) != SQLITE_OK) uw_error(ctx, FATAL, \"Error preparing statement: ", - string (String.toString dml), + string (String.toCString dml), string "<br />%s\", sqlite3_errmsg(conn->conn));", newline, string "conn->p", @@ -760,7 +760,7 @@ fun dmlPrepared {loc, id, dml, inputs} = newline, dmlCommon {loc = loc, dml = box [string "\"", - string (String.toString dml), + string (String.toCString dml), string "\""]}, string "uw_pop_cleanup(ctx);", @@ -800,14 +800,9 @@ fun nextvalPrepared _ = raise Fail "SQLite.nextvalPrepared called" fun setval _ = raise Fail "SQLite.setval called" fun sqlifyString s = "'" ^ String.translate (fn #"'" => "''" - | ch => - if Char.isPrint ch then - str ch - else - (ErrorMsg.error - "Non-printing character found in SQL string literal"; - "")) - (String.toString s) ^ "'" + | #"\000" => "" + | ch => str ch) + s ^ "'" fun p_cast (s, _) = s diff --git a/src/urweb.lex b/src/urweb.lex index 88b7d857..27af5bdd 100644 --- a/src/urweb.lex +++ b/src/urweb.lex @@ -173,7 +173,7 @@ ws = [\ \t\012]; intconst = [0-9]+; realconst = [0-9]+\.[0-9]*; notags = [^<{\n(]+; -xcom = ([^-]|(-[^-]))+; +xcom = ([^\-]|(-[^\-]))+; oint = [0-9][0-9][0-9]; xint = x[0-9a-fA-F][0-9a-fA-F]; |