Kouhei Sutou
kou****@clear*****
Mon Oct 6 08:00:23 JST 2014
> +def escape_for_param(value) > + URI.escape(URI.escape(value.to_s), /[;&]/) > end 実は、URI.escapeって仕様がまずいということがわかってobsolete になったんですよ。 http://rurema.clear-code.com/2.1.0/method/URI/s/encode.html 代わりにCGI.escape(value)を使ってください! http://rurema.clear-code.com/2.1.0/method/CGI/s/escape.html --sanitizeは必要なくなるかも? In <38af0e9cb9a525acfb6a365720acfee829df765f �� jenkins.clear-code.com> "[Groonga-commit] droonga/drnbench �� 38af0e9 [master] Split options to sanitaize and escape." on Sat, 04 Oct 2014 20:34:26 +0900, SHIMODA "Piro" Hiroshi <null+groonga �� clear-code.com> wrote: > SHIMODA "Piro" Hiroshi 2014-10-04 20:34:26 +0900 (Sat, 04 Oct 2014) > > New Revision: 38af0e9cb9a525acfb6a365720acfee829df765f > https://github.com/droonga/drnbench/commit/38af0e9cb9a525acfb6a365720acfee829df765f > > Message: > Split options to sanitaize and escape. > > And, escape "&", ";" also for a query parameter. > > Modified files: > bin/drnbench-extract-searchterms > > Modified: bin/drnbench-extract-searchterms (+13 -3) > =================================================================== > --- bin/drnbench-extract-searchterms 2014-10-04 20:24:23 +0900 (2e5f6f4) > +++ bin/drnbench-extract-searchterms 2014-10-04 20:34:26 +0900 (e4b711d) > @@ -19,9 +19,11 @@ require "drnbench" > require "ostruct" > require "optparse" > require "json" > +require "uri" > > options = OpenStruct.new > options.column_index = 0 > +options.sanitize = false > options.escape = false > > option_parser = OptionParser.new do |parser| > @@ -32,6 +34,10 @@ option_parser = OptionParser.new do |parser| > "(#{options.output_column_index})") do |index| > options.column_index = index > end > + parser.on("--sanitize", > + "Sanitize dangerous characters for \"query\" parameter") do > + options.sanitize = true > + end > parser.on("--escape", > "Escape output for URL parameter") do > options.escape = true > @@ -40,11 +46,14 @@ end > > groonga_select_result_files = option_parser.parse!(ARGV) > > -def sanitize_for_param(value) > +def sanitize_for_query(value) > value.to_s > .gsub(/[:;]/, " ") > .strip > - .gsub(/ +/, "%20") > +end > + > +def escape_for_param(value) > + URI.escape(URI.escape(value.to_s), /[;&]/) > end > > def output_column_value(select_result, column_index) > @@ -54,7 +63,8 @@ def output_column_value(select_result, column_index) > records = search_result[2..-1] > records.each do |record| > value = record[column_index] > - value = sanitize_for_param(value) if options.escape > + value = sanitize_for_query(value) if options.sanitize > + value = escape_for_param(value) if options.escape > puts(value) > end > end
