Permalink
Browse files

Made query string parameter subsitutions case-insensitive. (#4511)

  • Loading branch information...
1 parent 3471778 commit 5d73833c78496bf91bb54e3f235f0e5fd6a162f2 @sdlime sdlime committed Nov 4, 2012
Showing with 5 additions and 3 deletions.
  1. +5 −3 maptemplate.c
View
@@ -4002,16 +4002,18 @@ static char *processLine(mapservObj *mapserv, char *instr, FILE *stream, int mod
for(i=0; i<mapserv->request->NumParams; i++) {
/* Replace [variable] tags using values from URL. We cannot offer a
- * [variable_raw] option here due to the risk of XSS
+ * [variable_raw] option here due to the risk of XSS.
+ *
+ * Replacement is case-insensitive. (#4511)
*/
snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", mapserv->request->ParamNames[i]);
encodedstr = msEncodeHTMLEntities(mapserv->request->ParamValues[i]);
- outstr = msReplaceSubstring(outstr, substr, encodedstr);
+ outstr = msCaseReplaceSubstring(outstr, substr, encodedstr);
free(encodedstr);
snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", mapserv->request->ParamNames[i]);
encodedstr = msEncodeUrl(mapserv->request->ParamValues[i]);
- outstr = msReplaceSubstring(outstr, substr, encodedstr);
+ outstr = msCaseReplaceSubstring(outstr, substr, encodedstr);
free(encodedstr);
}

0 comments on commit 5d73833

Please sign in to comment.