From: rajbot Date: Wed, 29 Sep 2010 23:41:16 +0000 (+0000) Subject: sanitize inputs X-Git-Url: http://git.rot13.org/?p=bookreader.git;a=commitdiff_plain;h=8121ced192a5b255f5ed00dd44b18be5b043940c sanitize inputs --- diff --git a/BookReader/BookReader.js b/BookReader/BookReader.js index 9227ac0..ee32b36 100644 --- a/BookReader/BookReader.js +++ b/BookReader/BookReader.js @@ -3840,6 +3840,7 @@ BookReader.prototype.ttsStop = function () { soundManager.stopAll(); soundManager.destroySound('chunk'+this.ttsIndex+'-'+this.ttsPosition); this.ttsRemoveHilites(); + this.ttsRemovePopup(); this.ttsPlaying = false; this.ttsIndex = null; //leaf index diff --git a/BookReaderIA/datanode/BookReaderGetText.py b/BookReaderIA/datanode/BookReaderGetText.py index 9955968..3883fa8 100644 --- a/BookReaderIA/datanode/BookReaderGetText.py +++ b/BookReaderIA/datanode/BookReaderGetText.py @@ -25,6 +25,7 @@ from lxml import etree import sys import json +import re minWordsInBlock = 25 maxWordsInBlock = 50 @@ -33,12 +34,21 @@ path = sys.argv[1] pageNum = int(sys.argv[2]) callback = sys.argv[3] +if not re.match('^/\d{1,2}/items/.+_djvu.xml$', path): + sys.exit(-1); + +if ('ttsNextPageCB' != callback): + callback = 'ttsStartCB' + tree = etree.parse(path) objects = tree.findall('//OBJECT') #print 'got %s objects' % len(objects) +if pageNum > (len(objects)-1): + sys.exit(-1) + page = objects[pageNum] lines = page.findall('.//LINE') diff --git a/BookReaderIA/datanode/BookReaderGetTextWrapper.php b/BookReaderIA/datanode/BookReaderGetTextWrapper.php index ca4d05b..8e3fd25 100644 --- a/BookReaderIA/datanode/BookReaderGetTextWrapper.php +++ b/BookReaderIA/datanode/BookReaderGetTextWrapper.php @@ -22,9 +22,9 @@ This file is part of BookReader. */ //$env = 'LD_LIBRARY_PATH=/petabox/sw/lib/lxml/lib PYTHONPATH=/petabox/sw/lib/lxml/lib/python2.5/site-packages:$PYTHONPATH'; -$path=$_GET['path']; -$page=$_GET['page']; -$callback=$_GET['callback']; +$path = escapeshellarg($_GET['path']); +$page = escapeshellarg($_GET['page']); +$callback = escapeshellarg($_GET['callback']); header('Content-Type: application/javascript'); passthru("python BookReaderGetText.py $path $page $callback"); ?> diff --git a/BookReaderIA/datanode/BookReaderJSIA.php b/BookReaderIA/datanode/BookReaderJSIA.php index 29f910d..f85ea2b 100644 --- a/BookReaderIA/datanode/BookReaderJSIA.php +++ b/BookReaderIA/datanode/BookReaderJSIA.php @@ -18,6 +18,8 @@ This file is part of BookReader. along with BookReader. If not, see . */ +header('Content-Type: application/javascript'); + $id = $_REQUEST['id']; $itemPath = $_REQUEST['itemPath']; $subPrefix = $_REQUEST['subPrefix'];