changeset 1285:514be09d5018

Better UTF-8 escaping for JavaScript and SQL literals
author Adam Chlipala <adam@chlipala.net>
date Tue, 10 Aug 2010 15:55:43 -0400
parents 43ca083678f8
children 829da30fb808
files src/cjr_print.sml src/jscomp.sml src/mysql.sml src/postgres.sml src/sqlite.sml src/urweb.lex
diffstat 6 files changed, 34 insertions(+), 39 deletions(-) [+]
line wrap: on
line diff
--- a/src/cjr_print.sml	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/cjr_print.sml	Tue Aug 10 15:55:43 2010 -0400
@@ -2128,7 +2128,7 @@
       | DPreparedStatements _ => box []
 
       | DJavaScript s => box [string "static char jslib[] = \"",
-                              string (String.toString s),
+                              string (String.toCString s),
                               string "\";"]
       | DCookie s => box [string "/*",
                           space,
@@ -2585,7 +2585,7 @@
                             prefix ^ s
             in
                 box [string "if (!strncmp(request, \"",
-                     string (String.toString s),
+                     string (String.toCString s),
                      string "\", ",
                      string (Int.toString (size s)),
                      string ") && (request[",
@@ -2761,10 +2761,10 @@
                           box [string "if (!str",
                                case #kind rule of
                                    Settings.Exact => box [string "cmp(s, \"",
-                                                          string (String.toString (#pattern rule)),
+                                                          string (String.toCString (#pattern rule)),
                                                           string "\"))"]
                                  | Settings.Prefix => box [string "ncmp(s, \"",
-                                                           string (String.toString (#pattern rule)),
+                                                           string (String.toCString (#pattern rule)),
                                                            string "\", ",
                                                            string (Int.toString (size (#pattern rule))),
                                                            string "))"],
--- a/src/jscomp.sml	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/jscomp.sml	Tue Aug 10 15:55:43 2010 -0400
@@ -435,7 +435,7 @@
                                       | #"\r" => "\\r"
                                       | #"\t" => "\\t"
                                       | ch =>
-                                        if Char.isPrint ch then
+                                        if Char.isPrint ch orelse ord ch >= 128 then
                                             String.str ch
                                         else
                                             "\\" ^ padWith (#"0",
--- a/src/mysql.sml	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/mysql.sml	Tue Aug 10 15:55:43 2010 -0400
@@ -344,7 +344,7 @@
         fun stringOf r = case !r of
                              NONE => string "NULL"
                            | SOME s => box [string "\"",
-                                            string (String.toString s),
+                                            string (String.toCString s),
                                             string "\""]
     in
         app (fn s =>
@@ -477,7 +477,7 @@
                                                                newline,
 
                                                                string "if (mysql_stmt_prepare(stmt, \"",
-                                                               string (String.toString s),
+                                                               string (String.toCString s),
                                                                string "\", ",
                                                                string (Int.toString (size s)),
                                                                string ")) {",
@@ -974,7 +974,7 @@
               else
                   box [],
               string "if (mysql_stmt_prepare(stmt, \"",
-              string (String.toString query),
+              string (String.toCString query),
               string "\", ",
               string (Int.toString (size query)),
               string ")) {",
@@ -1185,7 +1185,7 @@
          newline,
 
          queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"",
-                                                                            string (String.toString query),
+                                                                            string (String.toCString query),
                                                                             string "\""]},
 
          if nested then
@@ -1276,7 +1276,7 @@
               string "if (stmt == NULL) uw_error(ctx, FATAL, \"Out of memory allocating prepared statement\");",
               newline,
               string "if (mysql_stmt_prepare(stmt, \"",
-              string (String.toString dml),
+              string (String.toCString dml),
               string "\", ",
               string (Int.toString (size dml)),
               string ")) {",
@@ -1470,7 +1470,7 @@
          newline,
 
          dmlCommon {loc = loc, dml = box [string "\"",
-                                          string (String.toString dml),
+                                          string (String.toCString dml),
                                           string "\""]}]
 
 fun nextval {loc, seqE, seqName} =
@@ -1514,7 +1514,7 @@
                                                     (ErrorMsg.error
                                                          "Non-printing character found in SQL string literal";
                                                      ""))
-                                            (String.toString s) ^ "'"
+                                            (String.toCString s) ^ "'"
 
 fun p_cast (s, _) = s
 
--- a/src/postgres.sml	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/postgres.sml	Tue Aug 10 15:55:43 2010 -0400
@@ -331,7 +331,7 @@
                                                   box [string "res = PQprepare(conn, \"uw",
                                                        string (Int.toString i),
                                                        string "\", \"",
-                                                       string (String.toString s),
+                                                       string (String.toCString s),
                                                        string "\", ",
                                                        string (Int.toString n),
                                                        string ", NULL);",
@@ -349,7 +349,7 @@
                                                             string "PQfinish(conn);",
                                                             newline,
                                                             string "uw_error(ctx, FATAL, \"Unable to create prepared statement:\\n",
-                                                            string (String.toString s),
+                                                            string (String.toCString s),
                                                             string "\\n%s\", msg);",
                                                             newline],
                                                        string "}",
@@ -473,7 +473,7 @@
          string "static void uw_db_init(uw_context ctx) {",
          newline,
          string "PGconn *conn = PQconnectdb(\"",
-         string (String.toString dbstring),
+         string (String.toCString dbstring),
          string "\");",
          newline,
          string "if (conn == NULL) uw_error(ctx, FATAL, ",
@@ -698,14 +698,14 @@
                   string ", paramValues, paramLengths, paramFormats, 0);"]
          else
              box [string "PQexecParams(conn, \"",
-                  string (String.toString query),
+                  string (String.toCString query),
                   string "\", ",
                   string (Int.toString (length inputs)),
                   string ", NULL, paramValues, paramLengths, paramFormats, 0);"],
          newline,
          newline,
          queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"",
-                                                                            string (String.toString query),
+                                                                            string (String.toCString query),
                                                                             string "\""]}]
 
 fun dmlCommon {loc, dml} =
@@ -779,14 +779,14 @@
                   string ", paramValues, paramLengths, paramFormats, 0);"]
          else
              box [string "PQexecParams(conn, \"",
-                  string (String.toString dml),
+                  string (String.toCString dml),
                   string "\", ",
                   string (Int.toString (length inputs)),
                   string ", NULL, paramValues, paramLengths, paramFormats, 0);"],
          newline,
          newline,
          dmlCommon {loc = loc, dml = box [string "\"",
-                                          string (String.toString dml),
+                                          string (String.toCString dml),
                                           string "\""]}]
 
 fun nextvalCommon {loc, query} =
@@ -863,12 +863,12 @@
                   string "\", 0, NULL, NULL, NULL, 0);"]
          else
              box [string "PQexecParams(conn, \"",
-                  string (String.toString query),
+                  string (String.toCString query),
                   string "\", 0, NULL, NULL, NULL, NULL, 0);"],
          newline,
          newline,
          nextvalCommon {loc = loc, query = box [string "\"",
-                                                string (String.toString query),
+                                                string (String.toCString query),
                                                 string "\""]}]
 
 fun setvalCommon {loc, query} =
@@ -921,7 +921,7 @@
                                                  else
                                                      "\\" ^ StringCvt.padLeft #"0" 3
                                                                               (Int.fmt StringCvt.OCT (ord ch)))
-                                             (String.toString s) ^ "'::text"
+                                             (String.toCString s) ^ "'::text"
 
 fun p_cast (s, t) = s ^ "::" ^ p_sql_type t
 
--- a/src/sqlite.sml	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/sqlite.sml	Tue Aug 10 15:55:43 2010 -0400
@@ -230,7 +230,7 @@
                                                                    newline]
                                                       in
                                                           box [string "if (sqlite3_prepare_v2(conn->conn, \"",
-                                                               string (String.toString s),
+                                                               string (String.toCString s),
                                                                string "\", -1, &conn->p",
                                                                string (Int.toString i),
                                                                string ", NULL) != SQLITE_OK) {",
@@ -242,7 +242,7 @@
                                                                     string "msg[1023] = 0;",
                                                                     newline,
                                                                     uhoh false ("Error preparing statement: "
-                                                                                ^ String.toString s ^ "<br />%s") ["msg"]],
+                                                                                ^ String.toCString s ^ "<br />%s") ["msg"]],
                                                                string "}",
                                                                newline]
                                                       end)
@@ -651,9 +651,9 @@
                   newline],
 
          string "if (sqlite3_prepare_v2(conn->conn, \"",
-         string (String.toString query),
+         string (String.toCString query),
          string "\", -1, &stmt, NULL) != SQLITE_OK) uw_error(ctx, FATAL, \"Error preparing statement: ",
-         string (String.toString query),
+         string (String.toCString query),
          string "<br />%s\", sqlite3_errmsg(conn->conn));",
          newline,
          if nested then
@@ -677,7 +677,7 @@
          newline,
 
          queryCommon {loc = loc, cols = cols, doCols = doCols, query = box [string "\"",
-                                                                            string (String.toString query),
+                                                                            string (String.toCString query),
                                                                             string "\""]},
 
          string "uw_pop_cleanup(ctx);",
@@ -739,9 +739,9 @@
          string "if (stmt == NULL) {",
          newline,
          box [string "if (sqlite3_prepare_v2(conn->conn, \"",
-              string (String.toString dml),
+              string (String.toCString dml),
               string "\", -1, &stmt, NULL) != SQLITE_OK) uw_error(ctx, FATAL, \"Error preparing statement: ",
-              string (String.toString dml),
+              string (String.toCString dml),
               string "<br />%s\", sqlite3_errmsg(conn->conn));",
               newline,
               string "conn->p",
@@ -760,7 +760,7 @@
          newline,
 
          dmlCommon {loc = loc, dml = box [string "\"",
-                                          string (String.toString dml),
+                                          string (String.toCString dml),
                                           string "\""]},
 
          string "uw_pop_cleanup(ctx);",
@@ -800,14 +800,9 @@
 fun setval _ = raise Fail "SQLite.setval called"
 
 fun sqlifyString s = "'" ^ String.translate (fn #"'" => "''"
-                                              | ch =>
-                                                if Char.isPrint ch then
-                                                    str ch
-                                                else
-                                                    (ErrorMsg.error
-                                                         "Non-printing character found in SQL string literal";
-                                                     ""))
-                                            (String.toString s) ^ "'"
+                                              | #"\000" => ""
+                                              | ch => str ch)
+                                            s ^ "'"
 
 fun p_cast (s, _) = s
 
--- a/src/urweb.lex	Tue Aug 10 14:52:33 2010 -0400
+++ b/src/urweb.lex	Tue Aug 10 15:55:43 2010 -0400
@@ -173,7 +173,7 @@
 intconst = [0-9]+;
 realconst = [0-9]+\.[0-9]*;
 notags = [^<{\n(]+;
-xcom = ([^-]|(-[^-]))+;
+xcom = ([^\-]|(-[^\-]))+;
 oint = [0-9][0-9][0-9];
 xint = x[0-9a-fA-F][0-9a-fA-F];