Added support for passing parameter_name:value_constraint to xowiki::Package->get_parameter
- The get_parameter method can get values from query-parameters, therefore we have to validate these. - Use the new feature at several places (especially for boolean values) - Still, more places should be checked - bumped xowiki to 5.10.1d37 - bumped xotcl-core to 5.10.1d14
Check content of the string to identify potentially unsafe content in the provided string. The content is unsafe, when it contains externally provided content, which might be provided e.g. via query variables, or via user values stored in the database. When such content contains square braces, a "subst" command on theses can evaluate arbitrary commands, which is dangerous.
The new API call is used in "::xo::Package->return_page", where the "subst" command stripped from its command substitution capabilities. In case, command subsitution is needed, perform this prior this call.
bumped acs-tcl to 5.10.1d23 bumped xotcl-core to 5.10.1d13