| author | Lars Hjemli <hjemli@gmail.com> | 2009-01-29 21:21:15 (UTC) |
|---|---|---|
| committer | Lars Hjemli <hjemli@gmail.com> | 2009-01-29 21:21:15 (UTC) |
| commit | 7efcef00b5aadf22f5be80ecd7b736398cf7f6b4 (patch) (side-by-side diff) | |
| tree | 6bfdb7c5499ba43eb9b302394adc7bfa7e517436 | |
| parent | ba75f6613ebce2d716334d912932f1bd78ef124f (diff) | |
| download | cgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.zip cgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.tar.gz cgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.tar.bz2 | |
html.c: use correct escaping in html attributes
First, an apostrophe is not a quote. Second, we also need to escape
quotes. And finally, quotes are encoded as '"', not '"e;'.
Sighned-off-by: Lars Hjemli <hjemli@gmail.com>
| -rw-r--r-- | html.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -19,200 +19,202 @@ char *fmt(const char *format, ...) { static char buf[8][1024]; static int bufidx; int len; va_list args; bufidx++; bufidx &= 7; va_start(args, format); len = vsnprintf(buf[bufidx], sizeof(buf[bufidx]), format, args); va_end(args); if (len>sizeof(buf[bufidx])) { fprintf(stderr, "[html.c] string truncated: %s\n", format); exit(1); } return buf[bufidx]; } void html_raw(const char *data, size_t size) { write(htmlfd, data, size); } void html(const char *txt) { write(htmlfd, txt, strlen(txt)); } void htmlf(const char *format, ...) { static char buf[65536]; va_list args; va_start(args, format); vsnprintf(buf, sizeof(buf), format, args); va_end(args); html(buf); } void html_status(int code, const char *msg, int more_headers) { htmlf("Status: %d %s\n", code, msg); if (!more_headers) html("\n"); } void html_txt(char *txt) { char *t = txt; while(t && *t){ int c = *t; if (c=='<' || c=='>' || c=='&') { write(htmlfd, txt, t - txt); if (c=='>') html(">"); else if (c=='<') html("<"); else if (c=='&') html("&"); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_ntxt(int len, char *txt) { char *t = txt; while(t && *t && len--){ int c = *t; if (c=='<' || c=='>' || c=='&') { write(htmlfd, txt, t - txt); if (c=='>') html(">"); else if (c=='<') html("<"); else if (c=='&') html("&"); txt = t+1; } t++; } if (t!=txt) write(htmlfd, txt, t - txt); if (len<0) html("..."); } void html_attr(char *txt) { char *t = txt; while(t && *t){ int c = *t; - if (c=='<' || c=='>' || c=='\'') { + if (c=='<' || c=='>' || c=='\'' || c=='\"') { write(htmlfd, txt, t - txt); if (c=='>') html(">"); else if (c=='<') html("<"); else if (c=='\'') - html(""e;"); + html("'"); + else if (c=='"') + html("""); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_url_path(char *txt) { char *t = txt; while(t && *t){ int c = *t; if (c=='"' || c=='#' || c=='\'' || c=='?') { write(htmlfd, txt, t - txt); write(htmlfd, fmt("%%%2x", c), 3); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_url_arg(char *txt) { char *t = txt; while(t && *t){ int c = *t; if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { write(htmlfd, txt, t - txt); write(htmlfd, fmt("%%%2x", c), 3); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_hidden(char *name, char *value) { html("<input type='hidden' name='"); html_attr(name); html("' value='"); html_attr(value); html("'/>"); } void html_option(char *value, char *text, char *selected_value) { html("<option value='"); html_attr(value); html("'"); if (selected_value && !strcmp(selected_value, value)) html(" selected='selected'"); html(">"); html_txt(text); html("</option>\n"); } void html_link_open(char *url, char *title, char *class) { html("<a href='"); html_attr(url); if (title) { html("' title='"); html_attr(title); } if (class) { html("' class='"); html_attr(class); } html("'>"); } void html_link_close(void) { html("</a>"); } void html_fileperm(unsigned short mode) { htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); } int html_include(const char *filename) { FILE *f; char buf[4096]; size_t len; if (!(f = fopen(filename, "r"))) { fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n", filename, strerror(errno), errno); |