Commit 6a723f18 authored by Leigh Stoller's avatar Leigh Stoller

Encode metadata values with encode_entities() from HTML::Entities module.

This forces all metadata values to be plain text values for now.
parent 181608c7
...@@ -22,6 +22,7 @@ use libtestbed; ...@@ -22,6 +22,7 @@ use libtestbed;
use libtblog; use libtblog;
use Experiment; use Experiment;
use English; use English;
use HTML::Entities;
use overload ('""' => 'Stringify'); use overload ('""' => 'Stringify');
# Configure variables # Configure variables
...@@ -682,7 +683,8 @@ sub NewMetadata($$$$;$) ...@@ -682,7 +683,8 @@ sub NewMetadata($$$$;$)
} }
my $safename = DBQuoteSpecial($name); my $safename = DBQuoteSpecial($name);
my $safevalue = DBQuoteSpecial($value); # HTML entity encode; yep, plain text only.
my $safevalue = DBQuoteSpecial(encode_entities($value));
my $query_result = my $query_result =
DBQueryWarn("insert into experiment_template_metadata_items set ". DBQueryWarn("insert into experiment_template_metadata_items set ".
...@@ -786,7 +788,7 @@ sub ModifyMetadata($$$$) ...@@ -786,7 +788,7 @@ sub ModifyMetadata($$$$)
if ($already_exists <= 0); if ($already_exists <= 0);
$name = DBQuoteSpecial($name); $name = DBQuoteSpecial($name);
$value = DBQuoteSpecial($value); $value = DBQuoteSpecial(encode_entities($value));
DBQueryWarn("lock tables experiment_template_metadata_items write") DBQueryWarn("lock tables experiment_template_metadata_items write")
or return -1; or return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment