diff --git a/.github/workflows/generate-pdf.yml b/.github/workflows/generate-pdf.yml
index b247190..984bf18 100644
--- a/.github/workflows/generate-pdf.yml
+++ b/.github/workflows/generate-pdf.yml
@@ -16,9 +16,9 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- - name: Install Pandoc, Latex necessities, and pdftk
+ - name: Install Pandoc, Latex necessities, lua, and pdftk
run: |
- sudo apt-get install -y pandoc texlive texlive-latex-extra poppler-utils texlive-extra-utils pdftk
+ sudo apt-get install -y pandoc texlive texlive-latex-extra poppler-utils texlive-extra-utils lua5.3 pdftk
- name: Install Python
uses: actions/setup-python@v4
@@ -78,7 +78,7 @@ jobs:
)
for md_file in "${file_list[@]}"; do
pdf_file_name="pdf_output/$(echo "$md_file" | sed 's/\//_/g' | sed 's/.md//g').pdf"
- python3 pdf-generation/generate-pdf-edits.py "$md_file" | pandoc -V geometry:margin=1in -V colorlinks=true -V linkcolor=blue -V urlcolor=blue --pdf-engine=pdflatex -o "$pdf_file_name"
+ python3 pdf-generation/generate-pdf-edits.py "$md_file" | pandoc -V geometry:margin=1in -V colorlinks=true -V linkcolor=blue -V urlcolor=blue --lua-filter=pdf-generation/color-text-span.lua --pdf-engine=pdflatex -o "$pdf_file_name"
if [ ! -f "$pdf_file_name" ]; then
echo "Error: PDF file $pdf_file_name not created!" >&2
diff --git a/_sass/color_schemes/dark_wider.scss b/_sass/color_schemes/dark_wider.scss
index bf83d03..781a0e3 100644
--- a/_sass/color_schemes/dark_wider.scss
+++ b/_sass/color_schemes/dark_wider.scss
@@ -106,16 +106,16 @@ a.skip-to-main:focus, a.skip-to-main:active {
color: #f5f6fa !important;
}
-span.blue {
- color: #00D3EB;
+span[style*="color:blue"] {
+ color: #00D3EB !important;
}
-span.red {
- color: #FFB3B3;
+span[style*="color:red"] {
+ color: #FFB3B3 !important;
}
-span.green {
- color: #79DB00;
+span[style*="color:green"] {
+ color: #79DB00 !important;
}
body {
diff --git a/_sass/color_schemes/wider.scss b/_sass/color_schemes/wider.scss
index cef3ee6..5c81470 100644
--- a/_sass/color_schemes/wider.scss
+++ b/_sass/color_schemes/wider.scss
@@ -102,16 +102,16 @@ a.skip-to-main:focus, a.skip-to-main:active {
color: #27262b !important;
}
-span.blue {
- color: blue;
+span[style*="color:blue"] {
+ color: blue !important;
}
-span.red {
- color: #AD0000;
+span[style*="color:red"] {
+ color: #AD0000 !important;
}
-span.green {
- color: #005200;
+span[style*="color:green"] {
+ color: #005200 !important;
}
body, .site-footer {
diff --git a/pdf-generation/color-text-span.lua b/pdf-generation/color-text-span.lua
new file mode 100644
index 0000000..8d8a9f5
--- /dev/null
+++ b/pdf-generation/color-text-span.lua
@@ -0,0 +1,39 @@
+-- https://stackoverflow.com/questions/62831191/using-span-for-font-color-in-pandoc-markdown-for-both-html-and-pdf
+-- https://bookdown.org/yihui/rmarkdown-cookbook/font-color.html
+-- https://ulriklyngs.com/post/2019/02/20/how-to-use-pandoc-filters-for-advanced-customisation-of-your-r-markdown-documents/
+
+function Span (el)
+ local style = el.attributes.style
+ if style and string.find(style, "color") then
+ stylestr = style
+ thecolor = string.match(stylestr, "color:%s*(%a+);?")
+
+ local color_mapping = {
+ blue = "blue",
+ red = "purple",
+ green = "teal",
+ }
+
+ local latex_color = color_mapping[thecolor]
+
+ --print(thecolor)
+ if FORMAT:match 'latex' then
+ -- encapsulate in latex code
+ table.insert(
+ el.content, 1,
+ pandoc.RawInline('latex', '\\textcolor{'..latex_color..'}{')
+ )
+ table.insert(
+ el.content,
+ pandoc.RawInline('latex', '}')
+ )
+ -- returns only span content
+ return el.content
+ else
+ -- for other format return unchanged
+ return el
+ end
+ else
+ return el
+ end
+ end
\ No newline at end of file
diff --git a/web/cookies.md b/web/cookies.md
index 78a7725..8348884 100644
--- a/web/cookies.md
+++ b/web/cookies.md
@@ -5,6 +5,9 @@ nav_order: 4
layout: page
header-includes:
- \pagenumbering{gobble}
+output:
+ pdf_document:
+ pandoc_args: ["--lua-filter=color-text-span.lua"]
---
# 20. Cookies and Session Management
@@ -28,7 +31,7 @@ For security and functionality reasons, we don't want the browser to send every
The browser sends a cookie to a given URL if the cookie's `Domain` attribute is a domain-suffix of the URL domain, and the cookie's `Path` attribute is a prefix of the URL path. In other words, the URL domain should end in the cookie's `Domain` attribute, and the URL path should begin with the cookie's `Path` attribute.
-For example, a cookie with Domain=example.com and Path=/some/path will be included on a request to http://foo.example.com/some/path/index.html, because the URL domain ends in the cookie domain, and the URL path begins with the cookie path.
+For example, a cookie with Domain=example.com and Path=/some/path will be included on a request to http://foo.example.com/some/path/index.html, because the URL domain ends in the cookie domain, and the URL path begins with the cookie path.
Note that cookie policy uses a different set of rules than the same origin policy. This has caused problems in the past. {% comment %} Nick wrote: "has caused problems in the path." typo? -peyrin {% endcomment %}
diff --git a/web/intro.md b/web/intro.md
index 67d9445..768c70e 100644
--- a/web/intro.md
+++ b/web/intro.md
@@ -5,6 +5,9 @@ nav_order: 2
layout: page
header-includes:
- \pagenumbering{gobble}
+output:
+ pdf_document:
+ pandoc_args: ["--lua-filter=color-text-span.lua"]
---
# 18. Introduction to the Web
@@ -15,9 +18,9 @@ Every resource (webpage, image, PDF, etc.) on the web is identified by a URL (Un
- http://www.example.com/index.html
+ http://www.example.com/index.html
@@ -41,13 +44,13 @@ In summary, a URL with all elements present may look like this:
- http://evanbot@www.cs161.org:161/whoami?k1=v1&k2=v2#anchor
+ http://evanbot@www.cs161.org:161/whoami?k1=v1&k2=v2#anchor
diff --git a/web/sqli.md b/web/sqli.md
index 7e125ba..0f2cbc8 100644
--- a/web/sqli.md
+++ b/web/sqli.md
@@ -5,6 +5,9 @@ nav_order: 1
layout: page
header-includes:
- \pagenumbering{gobble}
+output:
+ pdf_document:
+ pandoc_args: ["--lua-filter=color-text-span.lua"]
---
# 17. SQL Injection
@@ -13,7 +16,7 @@ header-includes:
SQL injection is a special case of a more broad category of attacks called code injections.
-As an example, consider a calculator website that accepts user input and calls `eval` in Python in the server backend to perform the calculation. For example, if a user types 2+3 into the website, the server will run eval('2+3') and return the result to the user.
+As an example, consider a calculator website that accepts user input and calls `eval` in Python in the server backend to perform the calculation. For example, if a user types 2+3 into the website, the server will run eval('2+3') and return the result to the user.
If the web server is not careful about checking user input, an attacker could provide a malicious input like
@@ -24,7 +27,7 @@ If the web server is not careful about checking user input, an attacker could pr
When the web server plugs this into the `eval` function, the result looks like
- eval("2+3"); os.system("rm *.*")
+ eval("2+3"); os.system("rm *.*")
If interpreted as code, this statement causes the web server to delete all its files!
@@ -47,7 +50,7 @@ A user can make an HTTP GET request for a course rating through a URL:
- http://www.berkeley.edu/evals?course=cs61a
@@ -56,7 +59,7 @@ To process this request, the server performs a SQL query to look up the rating c
- SELECT rating FROM evals WHERE course = '
@@ -73,7 +76,7 @@ When the web server plugs this into the SQL query, the resulting query looks lik
- SELECT rating FROM evals WHERE course = '
@@ -95,8 +98,8 @@ When the web server receives a login request, it creates a SQL query by plugging
- SELECT username FROM users WHERE username = 'alice' AND password = 'password123'
+ SELECT username FROM users WHERE username = 'alice' AND password = 'password123'
@@ -109,8 +112,8 @@ First, in the username field, we should add a dummy username and a quote to end
SELECT username FROM users WHERE username =
- 'alice'' AND password =
- 'password123'
+ 'alice'' AND password =
+ 'password123'
@@ -119,8 +122,8 @@ Next, we need to add some SQL syntax so that this query returns more than 0 rows
SELECT username FROM users WHERE username =
- 'alice' OR 1=1' AND password =
- '_____'
+ 'alice' OR 1=1' AND password =
+ '_____'
@@ -129,9 +132,9 @@ Next, we have to add some SQL so that the rest of the query doesn't throw a synt
SELECT username FROM users WHERE username =
- 'alice' OR 1=1; SELECT username FROM users WHERE username = 'alice' AND password = '_____'
+ >' AND password = '_____'
@@ -140,9 +143,9 @@ The second query might not return anything, but the first query will return a no
SELECT username FROM users WHERE username =
- 'alice' OR 1=1; SELECT username FROM users WHERE username = 'alice' AND password = 'garbage'
+ >' AND password = 'garbage'
@@ -166,9 +169,9 @@ In our previous example, we can instead start a comment to ignore parts of the q
SELECT username FROM users WHERE username =
- 'alice' OR 1=1--alice' OR 1=1--' AND password = 'garbage'' AND password = 'garbage'
@@ -198,8 +201,8 @@ For example, in the previous exploit, if the server replaces all instances of th
SELECT username FROM users WHERE username =
- 'alice\' OR 1=1\-\-' AND password =
- 'garbage'
+ 'alice\' OR 1=1\-\-' AND password =
+ 'garbage'
diff --git a/web/xss.md b/web/xss.md
index b78394d..4c61ae8 100644
--- a/web/xss.md
+++ b/web/xss.md
@@ -5,6 +5,9 @@ nav_order: 6
layout: page
header-includes:
- \pagenumbering{gobble}
+output:
+ pdf_document:
+ pandoc_args: ["--lua-filter=color-text-span.lua"]
---
# 22. Cross-Site Scripting (XSS)
@@ -36,7 +39,7 @@ In a reflected XSS attack, the attacker finds a vulnerable webpage where the ser
A classic example of reflected XSS is a Google search. When you make an HTTP GET request for a Google search, such as `https://www.google.com/search?&q=cs161`, the returned webpage with search results will include something like
- You searched for: cs161
+ You searched for: cs161
If Google does not properly check user input, an attacker could create a malicious URL `https://www.google.com/search?&q=`. When the victim loads this URL, Google will return
@@ -44,7 +47,7 @@ If Google does not properly check user input, an attacker could create a malicio
You searched for:
- <script>alert("XSS attack!")</script>