Hemiptera Bugtracker at bugs.linux-forks.de
advtrains
Need to escape more user-input values in formspecs
Send replies to 143@bugs.linux-forks.de or using the Form below.
Hemiptera Bugtracker at bugs.linux-forks.de
From: OP I noticed today that a route with [] in the name breaks the route formspec.
So I did some digging and noticed it occurred in quite a few places for
various user input things. Thankfully, it was just a few missing calls to
minetest.formspec_escape. I have prepared a patch for you that should fix
all occurences of this.
advtrains/wagons.lua | 8 ++++----
advtrains_interlocking/route_ui.lua | 4 ++--
advtrains_interlocking/tcb_ts_ui.lua | 12 ++++++------
advtrains_line_automation/stoprail.lua | 2 +-
advtrains_luaautomation/active_common.lua | 2 +-
advtrains_luaautomation/pcnaming.lua | 2 +-
6 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/advtrains/wagons.lua b/advtrains/wagons.lua
index 040c1e4..77bd55a 100644
--- a/advtrains/wagons.lua
+++ b/advtrains/wagons.lua
@@ -804,10 +804,10 @@ function wagon:show_bordcom(pname)
local data = advtrains.wagons[self.id]
local form = "size[11,9]label[0.5,0;AdvTrains Boardcom v0.1]"
- form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed
outside on train")..";"..(train.text_outside or "").."]"
- form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed
inside train")..";"..(train.text_inside or "").."]"
- form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(train.line
or "").."]"
-
form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(train.routingcode
or "").."]"
+ form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed
outside on train")..";"..(minetest.formspec_escape(train.text_outside) or
"").."]"
+ form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed
inside train")..";"..(minetest.formspec_escape(train.text_inside) or
"").."]"
+
form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(minetest.formspec_escape(train.line)
or "").."]"
+
form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(minetest.formspec_escape(train.routingcode)
or "").."]"
--row 5 : train overview and autocoupling
if train.velocity==0 then
form=form.."label[0.5,4.5;Train overview /coupling control:]"
diff --git a/advtrains_interlocking/route_ui.lua
b/advtrains_interlocking/route_ui.lua
index 4ddab0c..71fed09 100644
--- a/advtrains_interlocking/route_ui.lua
+++ b/advtrains_interlocking/route_ui.lua
@@ -25,13 +25,13 @@ function atil.show_route_edit_form(pname, sigd, routeid)
if not route then return end
local form = "size[9,10]label[0.5,0.2;Route overview]"
- form = form.."field[0.8,1.2;5.2,1;name;Route name;"..route.name.."]"
+ form = form.."field[0.8,1.2;5.2,1;name;Route
name;"..minetest.formspec_escape(route.name).."]"
form = form.."button[5.5,0.9;1,1;setname;Set]"
-- construct textlist for route information
local tab = {}
local function itab(t)
- tab[#tab+1] = string.gsub(t, ",", " ")
+ tab[#tab+1] = minetest.formspec_escape(string.gsub(t, ",", " "))
end
itab("TCB "..sigd_to_string(sigd).." ("..tcbs.signal_name..") Route
#"..routeid)
diff --git a/advtrains_interlocking/tcb_ts_ui.lua
b/advtrains_interlocking/tcb_ts_ui.lua
index 6c773ab..dcf6c6e 100644
--- a/advtrains_interlocking/tcb_ts_ui.lua
+++ b/advtrains_interlocking/tcb_ts_ui.lua
@@ -180,7 +180,7 @@ local function mktcbformspec(tcbs, btnpref, offset,
pname)
ts = ildb.get_ts(tcbs.ts_id)
end
if ts then
- form = form.."label[0.5,"..offset..";Side "..btnpref..": "..ts.name.."]"
+ form = form.."label[0.5,"..offset..";Side "..btnpref..":
"..minetest.formspec_escape(ts.name).."]"
form = form.."button[0.5,"..(offset+0.5)..";5,1;"..btnpref.."_gotots;Show
track section]"
if ildb.may_modify_tcbs(tcbs) then
-- Note: the security check to prohibit those actions is located in
database.lua in the corresponding functions.
@@ -315,7 +315,7 @@ function advtrains.interlocking.show_ts_form(ts_id,
pname, sel_tcb)
if not ts_id then return end
local form = "size[10,10]label[0.5,0.5;Track Section Detail -
"..ts_id.."]"
- form = form.."field[0.8,2;5.2,1;name;Section name;"..ts.name.."]"
+ form = form.."field[0.8,2;5.2,1;name;Section
name;"..minetest.formspec_escape(ts.name).."]"
form = form.."button[5.5,1.7;1,1;setname;Set]"
local hint
@@ -334,7 +334,7 @@ function advtrains.interlocking.show_ts_form(ts_id,
pname, sel_tcb)
local other_ts = ildb.get_ts(other_id)
if other_ts then
if ildb.may_modify_ts(other_ts) then
- form = form.."button[5.5,3;3.5,1;mklink;Join with "..other_ts.name.."]"
+ form = form.."button[5.5,3;3.5,1;mklink;Join with
"..minetest.formspec_escape(other_ts.name).."]"
form = form.."button[9 ,3;0.5,1;cancellink;X]"
end
end
@@ -555,7 +555,7 @@ function
advtrains.interlocking.show_signalling_form(sigd, pname, sel_rte)
if not tcbs.routes then tcbs.routes = {} end
local form = "size[7,10]label[0.5,0.5;Signal at
"..minetest.pos_to_string(sigd.p).."]"
- form = form.."field[0.8,1.5;5.2,1;name;Signal
name;"..tcbs.signal_name.."]"
+ form = form.."field[0.8,1.5;5.2,1;name;Signal
name;"..minetest.formspec_escape(tcbs.signal_name).."]"
form = form.."button[5.5,1.2;1,1;setname;Set]"
if tcbs.routeset then
@@ -566,13 +566,13 @@ function
advtrains.interlocking.show_signalling_form(sigd, pname, sel_rte)
return
end
form = form.."label[0.5,2.5;A route is requested from this signal:]"
- form = form.."label[0.5,3.0;"..rte.name.."]"
+ form = form.."label[0.5,3.0;"..minetest.formspec_escape(rte.name).."]"
if tcbs.route_committed then
form = form.."label[0.5,3.5;Route has been set.]"
else
form = form.."label[0.5,3.5;Waiting for route to be set...]"
if tcbs.route_rsn then
- form = form.."label[0.5,4;"..tcbs.route_rsn.."]"
+ form = form.."label[0.5,4;"..minetest.formspec_escape(tcbs.route_rsn).."]"
end
end
if not tcbs.route_auto then
diff --git a/advtrains_line_automation/stoprail.lua
b/advtrains_line_automation/stoprail.lua
index 0db474f..9855237 100644
--- a/advtrains_line_automation/stoprail.lua
+++ b/advtrains_line_automation/stoprail.lua
@@ -61,7 +61,7 @@ local function show_stoprailform(pos, player)
form =
form.."field[5,3.5;2,1;track;"..attrans("Track")..";"..stdata.track.."]"
form = form.."field[5,4.5;2,1;wait;"..attrans("Stop
Time")..";"..stdata.wait.."]"
- form = form.."textarea[0.5,4;4,2;ars;Trains stopping here (ARS
rules);"..advtrains.interlocking.ars_to_text(stdata.ars).."]"
+ form = form.."textarea[0.5,4;4,2;ars;Trains stopping here (ARS
rules);"..minetest.formspec_escape(advtrains.interlocking.ars_to_text(stdata.ars)).."]"
form = form.."button[0.5,6;7,1;save;"..attrans("Save").."]"
diff --git a/advtrains_luaautomation/active_common.lua
b/advtrains_luaautomation/active_common.lua
index c17c6e9..48f75ac 100644
--- a/advtrains_luaautomation/active_common.lua
+++ b/advtrains_luaautomation/active_common.lua
@@ -36,7 +36,7 @@ function ac.getform(pos, meta_p)
end
local sel = 1
for n,_ in pairs(atlatc.envs) do
- envs_asvalues[#envs_asvalues+1]=n
+ envs_asvalues[#envs_asvalues+1]=minetest.formspec_escape(n)
if n==env then
sel=#envs_asvalues
end
diff --git a/advtrains_luaautomation/pcnaming.lua
b/advtrains_luaautomation/pcnaming.lua
index 427585d..ebb769f 100644
--- a/advtrains_luaautomation/pcnaming.lua
+++ b/advtrains_luaautomation/pcnaming.lua
@@ -52,7 +52,7 @@
minetest.register_craftitem("advtrains_luaautomation:pcnaming",{
pn=name
end
end
- minetest.show_formspec(pname,
"atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of
component (empty to clear);"..pn.."]")
+ minetest.show_formspec(pname,
"atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of
component (empty to clear);"..minetest.formspec_escape(pn).."]")
end
end
end,
Status Update