escape HTML entities when showing in printable format

[staff.git] / shift.cgi

diff --git a/shift.cgi b/shift.cgi
index 7f9bcd6..303cce7 100755 (executable)
--- a/shift.cgi
+++ b/shift.cgi
@@ -2,7 +2,7 @@
 #!/usr/bin/perl -Tw
 # (Text::Template can't do -T, but no user input is used dangerously)
 #
-# $Id: shift.cgi,v 1.1 2000-05-11 11:27:32 ivan Exp $
+# $Id: shift.cgi,v 1.6 2003-07-30 22:16:36 ivan Exp $
 #
 # Copyright (C) 2000 Adam Gould
 # Copyright (C) 2000 Michal Migurski
@@ -16,9 +16,10 @@
 # user-servicable parts
 ###
 
-$template_file = '/home/ivan/staffsheet/table.html';
-$data_directory = '/home/ivan/staffsheet/data';
-$mail_smtpserver = 'localhost'; # set blank to disable
+$template_file = '/var/www/www.420.am/staff/table.html';
+$data_directory = '/var/www/www.420.am/staff/data';
+#$mail_smtpserver = 'localhost'; # set blank to disable
+$mail_smtpserver = ''; # set blank to disable
 $mail_from = 'ivan-misconfigured-shift-from@420.am';
 $mail_subject = 'Your shift has been replaced';
 @mail_cc = (
@@ -39,7 +40,7 @@ END
 use strict;
 use vars qw( $template_file $data_directory $mail_smtpserver $mail_from
              $mail_subject @mail_cc $mail_footer
-             $cgi $template %shifthash %warning @messages );
+             $cgi $template %shifthash %warning @messages $magic );
 use subs qw( form inputbox );
 use Fcntl ":flock";
 use CGI 2.15;
@@ -48,6 +49,7 @@ use Text::Template;
 use Mail::Internet;
 use Mail::Header;
 use Date::Format;
+use HTML::Entities;
 
 $cgi = new CGI;
 
@@ -102,13 +104,14 @@ if ( $cgi->param() ) {
     foreach my $field ( @diff_fields ) {
       $shifthash{$field}='' unless defined $shifthash{$field};
       if ( $shifthash{$field} eq $cgi->param($field. '_old') ) {
-        if ( $cgi->param($field. "_new") =~
-               /\b(\w[\w\-\.\+]*\@(([\w\.\-]+\.)+\w+))\b/
-             || $cgi->param($field. "_new") =~ /^\s*$/
+      if ( $cgi->param($field. "_new") =~
+             /^\s*(\w[\w\s\.\'\-]{0,99}<?\s{0,9}(\w[\w\-\.\+]{0,99}\@(([\w\.\-]{1,99}\.){1,99}\w{1,99}))\s{0,9}>?)\s*$/
+           || $cgi->param($field. "_new") =~ /^\s*()$/
         ) {
+          my $new = $1;
           open(FILE,">$data_directory/.new.$field")
             or die "Can't open file $data_directory/$field: $!";
-          print FILE $cgi->param($field. "_new");
+          print FILE $new;
           close FILE;
           rename "$data_directory/.new.$field", "$data_directory/$field";
           $warning{$field} = '';
@@ -132,7 +135,7 @@ if ( $cgi->param() ) {
                 "Hi,",
                 "",
                 "The \"$field\" shift you signed up for has been changed to",
-                '"'. $cgi->param($field. "_new"). '"',
+                '"'. $new. '"',
                 "",
                 split("\n", $mail_footer),
               ],
@@ -200,13 +203,15 @@ sub get_data {
 # subroutines for the template
 
 sub form {
- $cgi->start_form;
+ $magic = defined $cgi->param('__MAGIC') ? $cgi->param('__MAGIC') : '';
+ $cgi->delete_all();
+ $cgi->start_form();
 }
 
 sub inputbox {
   my $field = shift;
-  return $shifthash{$field} || "&nbsp;"
-    if defined $cgi->param('__MAGIC') && $cgi->param('__MAGIC') eq 'print';
+  return encode_entities($shifthash{$field}) || "&nbsp;"
+    if $magic eq 'print';
   $shifthash{$field}='' unless defined $shifthash{$field};
   $warning{$field}='' unless defined $warning{$field};
   #"$field ".