- Improved security: Removed most [ns_conn form] calls in the system.

47426ea0 · Frank Bergmann · 9b2dae6f · 47426ea0 · 47426ea0
Commit 47426ea0 authored Jun 11, 2020 by Frank Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 4 deletions

generic-sql-widget-procs.tcl tcl/generic-sql-widget-procs.tcl +1 -1

intranet-dynfield-procs.tcl tcl/intranet-dynfield-procs.tcl +2 -3

No files found.
--- a/tcl/generic-sql-widget-procs.tcl
+++ b/tcl/generic-sql-widget-procs.tcl
@@ -84,7 +84,7 @@ ad_proc -public template::widget::generic_sql { element_reference tag_attributes
    set substitution_hash(user_id) [ad_conn user_id]
    set form_vars [ns_conn form]
    foreach form_var [ad_ns_set_keys $form_vars] {
-	set form_val [ns_set get $form_vars $form_var]
+	set form_val [im_opt_val -limit_to nohtml $form_var]
 	set substitution_hash($form_var) $form_val
    }


--- a/tcl/intranet-dynfield-procs.tcl
+++ b/tcl/intranet-dynfield-procs.tcl
@@ -500,12 +500,11 @@ ad_proc -public im_dynfield::set_form_values_from_http {
    }

    foreach element $form_elements {
-
 	# Only set the values for variables that are found in the
 	# HTTP variable frame to avoid ambiguities
 	set pos [ns_set find $form_vars $element]
 	if {$pos >= 0} {
-	   set value [ns_set get $form_vars $element]
+	   set value [im_opt_val -limit_to $element]
 	   template::element::set_value $form_id $element $value
 	}
    }
@@ -535,7 +534,7 @@ ad_proc -public im_dynfield::set_local_form_vars_from_http {
 	# HTTP variable frame to avoid ambiguities
 	set pos [ns_set find $form_vars $element]
 	if {$pos >= 0} {
-	   set value [ns_set get $form_vars $element]
+	   set value [im_opt_val -limit_to nohtml $element]

 	   # Write the values to the calling stack frame
 	   upvar $element $element