author | Lukas Fleischer <cgit@cryptocrack.de> | 2011-05-24 18:38:40 (UTC) |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2011-05-30 21:55:19 (UTC) |
commit | 69382320d96232ee8c73e664797da61e733c2427 (patch) (unidiff) | |
tree | 7f1d53505859cc6e15b261249a22d1604b3cd037 | |
parent | ec79265f2053e6dc20e0ec486719f5954d2be83d (diff) | |
download | cgit-69382320d96232ee8c73e664797da61e733c2427.zip cgit-69382320d96232ee8c73e664797da61e733c2427.tar.gz cgit-69382320d96232ee8c73e664797da61e733c2427.tar.bz2 |
Properly escape ampersands inside HTML attributes
Ampersands ("&") appearing inside HTML attributes need to be translated
to "&". Otherwise, invalid XHTML will be generated at various
places, such as at tree views containing links to submodules.
Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | html.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -93,106 +93,108 @@ void html_txt(const char *txt) | |||
93 | { | 93 | { |
94 | const char *t = txt; | 94 | const char *t = txt; |
95 | while(t && *t){ | 95 | while(t && *t){ |
96 | int c = *t; | 96 | int c = *t; |
97 | if (c=='<' || c=='>' || c=='&') { | 97 | if (c=='<' || c=='>' || c=='&') { |
98 | html_raw(txt, t - txt); | 98 | html_raw(txt, t - txt); |
99 | if (c=='>') | 99 | if (c=='>') |
100 | html(">"); | 100 | html(">"); |
101 | else if (c=='<') | 101 | else if (c=='<') |
102 | html("<"); | 102 | html("<"); |
103 | else if (c=='&') | 103 | else if (c=='&') |
104 | html("&"); | 104 | html("&"); |
105 | txt = t+1; | 105 | txt = t+1; |
106 | } | 106 | } |
107 | t++; | 107 | t++; |
108 | } | 108 | } |
109 | if (t!=txt) | 109 | if (t!=txt) |
110 | html(txt); | 110 | html(txt); |
111 | } | 111 | } |
112 | 112 | ||
113 | void html_ntxt(int len, const char *txt) | 113 | void html_ntxt(int len, const char *txt) |
114 | { | 114 | { |
115 | const char *t = txt; | 115 | const char *t = txt; |
116 | while(t && *t && len--){ | 116 | while(t && *t && len--){ |
117 | int c = *t; | 117 | int c = *t; |
118 | if (c=='<' || c=='>' || c=='&') { | 118 | if (c=='<' || c=='>' || c=='&') { |
119 | html_raw(txt, t - txt); | 119 | html_raw(txt, t - txt); |
120 | if (c=='>') | 120 | if (c=='>') |
121 | html(">"); | 121 | html(">"); |
122 | else if (c=='<') | 122 | else if (c=='<') |
123 | html("<"); | 123 | html("<"); |
124 | else if (c=='&') | 124 | else if (c=='&') |
125 | html("&"); | 125 | html("&"); |
126 | txt = t+1; | 126 | txt = t+1; |
127 | } | 127 | } |
128 | t++; | 128 | t++; |
129 | } | 129 | } |
130 | if (t!=txt) | 130 | if (t!=txt) |
131 | html_raw(txt, t - txt); | 131 | html_raw(txt, t - txt); |
132 | if (len<0) | 132 | if (len<0) |
133 | html("..."); | 133 | html("..."); |
134 | } | 134 | } |
135 | 135 | ||
136 | void html_attr(const char *txt) | 136 | void html_attr(const char *txt) |
137 | { | 137 | { |
138 | const char *t = txt; | 138 | const char *t = txt; |
139 | while(t && *t){ | 139 | while(t && *t){ |
140 | int c = *t; | 140 | int c = *t; |
141 | if (c=='<' || c=='>' || c=='\'' || c=='\"') { | 141 | if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') { |
142 | html_raw(txt, t - txt); | 142 | html_raw(txt, t - txt); |
143 | if (c=='>') | 143 | if (c=='>') |
144 | html(">"); | 144 | html(">"); |
145 | else if (c=='<') | 145 | else if (c=='<') |
146 | html("<"); | 146 | html("<"); |
147 | else if (c=='\'') | 147 | else if (c=='\'') |
148 | html("'"); | 148 | html("'"); |
149 | else if (c=='"') | 149 | else if (c=='"') |
150 | html("""); | 150 | html("""); |
151 | else if (c=='&') | ||
152 | html("&"); | ||
151 | txt = t+1; | 153 | txt = t+1; |
152 | } | 154 | } |
153 | t++; | 155 | t++; |
154 | } | 156 | } |
155 | if (t!=txt) | 157 | if (t!=txt) |
156 | html(txt); | 158 | html(txt); |
157 | } | 159 | } |
158 | 160 | ||
159 | void html_url_path(const char *txt) | 161 | void html_url_path(const char *txt) |
160 | { | 162 | { |
161 | const char *t = txt; | 163 | const char *t = txt; |
162 | while(t && *t){ | 164 | while(t && *t){ |
163 | int c = *t; | 165 | int c = *t; |
164 | const char *e = url_escape_table[c]; | 166 | const char *e = url_escape_table[c]; |
165 | if (e && c!='+' && c!='&') { | 167 | if (e && c!='+' && c!='&') { |
166 | html_raw(txt, t - txt); | 168 | html_raw(txt, t - txt); |
167 | html(e); | 169 | html(e); |
168 | txt = t+1; | 170 | txt = t+1; |
169 | } | 171 | } |
170 | t++; | 172 | t++; |
171 | } | 173 | } |
172 | if (t!=txt) | 174 | if (t!=txt) |
173 | html(txt); | 175 | html(txt); |
174 | } | 176 | } |
175 | 177 | ||
176 | void html_url_arg(const char *txt) | 178 | void html_url_arg(const char *txt) |
177 | { | 179 | { |
178 | const char *t = txt; | 180 | const char *t = txt; |
179 | while(t && *t){ | 181 | while(t && *t){ |
180 | int c = *t; | 182 | int c = *t; |
181 | const char *e = url_escape_table[c]; | 183 | const char *e = url_escape_table[c]; |
182 | if (c == ' ') | 184 | if (c == ' ') |
183 | e = "+"; | 185 | e = "+"; |
184 | if (e) { | 186 | if (e) { |
185 | html_raw(txt, t - txt); | 187 | html_raw(txt, t - txt); |
186 | html(e); | 188 | html(e); |
187 | txt = t+1; | 189 | txt = t+1; |
188 | } | 190 | } |
189 | t++; | 191 | t++; |
190 | } | 192 | } |
191 | if (t!=txt) | 193 | if (t!=txt) |
192 | html(txt); | 194 | html(txt); |
193 | } | 195 | } |
194 | 196 | ||
195 | void html_hidden(const char *name, const char *value) | 197 | void html_hidden(const char *name, const char *value) |
196 | { | 198 | { |
197 | html("<input type='hidden' name='"); | 199 | html("<input type='hidden' name='"); |
198 | html_attr(name); | 200 | html_attr(name); |