summaryrefslogtreecommitdiffabout
authorLars Hjemli <hjemli@gmail.com>2009-01-29 21:21:15 (UTC)
committer Lars Hjemli <hjemli@gmail.com>2009-01-29 21:21:15 (UTC)
commit7efcef00b5aadf22f5be80ecd7b736398cf7f6b4 (patch) (unidiff)
tree6bfdb7c5499ba43eb9b302394adc7bfa7e517436
parentba75f6613ebce2d716334d912932f1bd78ef124f (diff)
downloadcgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.zip
cgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.tar.gz
cgit-7efcef00b5aadf22f5be80ecd7b736398cf7f6b4.tar.bz2
html.c: use correct escaping in html attributes
First, an apostrophe is not a quote. Second, we also need to escape quotes. And finally, quotes are encoded as '&quot;', not '&quote;'. Sighned-off-by: Lars Hjemli <hjemli@gmail.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--html.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/html.c b/html.c
index d7d9fd7..66ba65d 100644
--- a/html.c
+++ b/html.c
@@ -19,200 +19,202 @@ char *fmt(const char *format, ...)
19{ 19{
20 static char buf[8][1024]; 20 static char buf[8][1024];
21 static int bufidx; 21 static int bufidx;
22 int len; 22 int len;
23 va_list args; 23 va_list args;
24 24
25 bufidx++; 25 bufidx++;
26 bufidx &= 7; 26 bufidx &= 7;
27 27
28 va_start(args, format); 28 va_start(args, format);
29 len = vsnprintf(buf[bufidx], sizeof(buf[bufidx]), format, args); 29 len = vsnprintf(buf[bufidx], sizeof(buf[bufidx]), format, args);
30 va_end(args); 30 va_end(args);
31 if (len>sizeof(buf[bufidx])) { 31 if (len>sizeof(buf[bufidx])) {
32 fprintf(stderr, "[html.c] string truncated: %s\n", format); 32 fprintf(stderr, "[html.c] string truncated: %s\n", format);
33 exit(1); 33 exit(1);
34 } 34 }
35 return buf[bufidx]; 35 return buf[bufidx];
36} 36}
37 37
38void html_raw(const char *data, size_t size) 38void html_raw(const char *data, size_t size)
39{ 39{
40 write(htmlfd, data, size); 40 write(htmlfd, data, size);
41} 41}
42 42
43void html(const char *txt) 43void html(const char *txt)
44{ 44{
45 write(htmlfd, txt, strlen(txt)); 45 write(htmlfd, txt, strlen(txt));
46} 46}
47 47
48void htmlf(const char *format, ...) 48void htmlf(const char *format, ...)
49{ 49{
50 static char buf[65536]; 50 static char buf[65536];
51 va_list args; 51 va_list args;
52 52
53 va_start(args, format); 53 va_start(args, format);
54 vsnprintf(buf, sizeof(buf), format, args); 54 vsnprintf(buf, sizeof(buf), format, args);
55 va_end(args); 55 va_end(args);
56 html(buf); 56 html(buf);
57} 57}
58 58
59void html_status(int code, const char *msg, int more_headers) 59void html_status(int code, const char *msg, int more_headers)
60{ 60{
61 htmlf("Status: %d %s\n", code, msg); 61 htmlf("Status: %d %s\n", code, msg);
62 if (!more_headers) 62 if (!more_headers)
63 html("\n"); 63 html("\n");
64} 64}
65 65
66void html_txt(char *txt) 66void html_txt(char *txt)
67{ 67{
68 char *t = txt; 68 char *t = txt;
69 while(t && *t){ 69 while(t && *t){
70 int c = *t; 70 int c = *t;
71 if (c=='<' || c=='>' || c=='&') { 71 if (c=='<' || c=='>' || c=='&') {
72 write(htmlfd, txt, t - txt); 72 write(htmlfd, txt, t - txt);
73 if (c=='>') 73 if (c=='>')
74 html("&gt;"); 74 html("&gt;");
75 else if (c=='<') 75 else if (c=='<')
76 html("&lt;"); 76 html("&lt;");
77 else if (c=='&') 77 else if (c=='&')
78 html("&amp;"); 78 html("&amp;");
79 txt = t+1; 79 txt = t+1;
80 } 80 }
81 t++; 81 t++;
82 } 82 }
83 if (t!=txt) 83 if (t!=txt)
84 html(txt); 84 html(txt);
85} 85}
86 86
87void html_ntxt(int len, char *txt) 87void html_ntxt(int len, char *txt)
88{ 88{
89 char *t = txt; 89 char *t = txt;
90 while(t && *t && len--){ 90 while(t && *t && len--){
91 int c = *t; 91 int c = *t;
92 if (c=='<' || c=='>' || c=='&') { 92 if (c=='<' || c=='>' || c=='&') {
93 write(htmlfd, txt, t - txt); 93 write(htmlfd, txt, t - txt);
94 if (c=='>') 94 if (c=='>')
95 html("&gt;"); 95 html("&gt;");
96 else if (c=='<') 96 else if (c=='<')
97 html("&lt;"); 97 html("&lt;");
98 else if (c=='&') 98 else if (c=='&')
99 html("&amp;"); 99 html("&amp;");
100 txt = t+1; 100 txt = t+1;
101 } 101 }
102 t++; 102 t++;
103 } 103 }
104 if (t!=txt) 104 if (t!=txt)
105 write(htmlfd, txt, t - txt); 105 write(htmlfd, txt, t - txt);
106 if (len<0) 106 if (len<0)
107 html("..."); 107 html("...");
108} 108}
109 109
110void html_attr(char *txt) 110void html_attr(char *txt)
111{ 111{
112 char *t = txt; 112 char *t = txt;
113 while(t && *t){ 113 while(t && *t){
114 int c = *t; 114 int c = *t;
115 if (c=='<' || c=='>' || c=='\'') { 115 if (c=='<' || c=='>' || c=='\'' || c=='\"') {
116 write(htmlfd, txt, t - txt); 116 write(htmlfd, txt, t - txt);
117 if (c=='>') 117 if (c=='>')
118 html("&gt;"); 118 html("&gt;");
119 else if (c=='<') 119 else if (c=='<')
120 html("&lt;"); 120 html("&lt;");
121 else if (c=='\'') 121 else if (c=='\'')
122 html("&quote;"); 122 html("&#x27;");
123 else if (c=='"')
124 html("&quot;");
123 txt = t+1; 125 txt = t+1;
124 } 126 }
125 t++; 127 t++;
126 } 128 }
127 if (t!=txt) 129 if (t!=txt)
128 html(txt); 130 html(txt);
129} 131}
130 132
131void html_url_path(char *txt) 133void html_url_path(char *txt)
132{ 134{
133 char *t = txt; 135 char *t = txt;
134 while(t && *t){ 136 while(t && *t){
135 int c = *t; 137 int c = *t;
136 if (c=='"' || c=='#' || c=='\'' || c=='?') { 138 if (c=='"' || c=='#' || c=='\'' || c=='?') {
137 write(htmlfd, txt, t - txt); 139 write(htmlfd, txt, t - txt);
138 write(htmlfd, fmt("%%%2x", c), 3); 140 write(htmlfd, fmt("%%%2x", c), 3);
139 txt = t+1; 141 txt = t+1;
140 } 142 }
141 t++; 143 t++;
142 } 144 }
143 if (t!=txt) 145 if (t!=txt)
144 html(txt); 146 html(txt);
145} 147}
146 148
147void html_url_arg(char *txt) 149void html_url_arg(char *txt)
148{ 150{
149 char *t = txt; 151 char *t = txt;
150 while(t && *t){ 152 while(t && *t){
151 int c = *t; 153 int c = *t;
152 if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { 154 if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') {
153 write(htmlfd, txt, t - txt); 155 write(htmlfd, txt, t - txt);
154 write(htmlfd, fmt("%%%2x", c), 3); 156 write(htmlfd, fmt("%%%2x", c), 3);
155 txt = t+1; 157 txt = t+1;
156 } 158 }
157 t++; 159 t++;
158 } 160 }
159 if (t!=txt) 161 if (t!=txt)
160 html(txt); 162 html(txt);
161} 163}
162 164
163void html_hidden(char *name, char *value) 165void html_hidden(char *name, char *value)
164{ 166{
165 html("<input type='hidden' name='"); 167 html("<input type='hidden' name='");
166 html_attr(name); 168 html_attr(name);
167 html("' value='"); 169 html("' value='");
168 html_attr(value); 170 html_attr(value);
169 html("'/>"); 171 html("'/>");
170} 172}
171 173
172void html_option(char *value, char *text, char *selected_value) 174void html_option(char *value, char *text, char *selected_value)
173{ 175{
174 html("<option value='"); 176 html("<option value='");
175 html_attr(value); 177 html_attr(value);
176 html("'"); 178 html("'");
177 if (selected_value && !strcmp(selected_value, value)) 179 if (selected_value && !strcmp(selected_value, value))
178 html(" selected='selected'"); 180 html(" selected='selected'");
179 html(">"); 181 html(">");
180 html_txt(text); 182 html_txt(text);
181 html("</option>\n"); 183 html("</option>\n");
182} 184}
183 185
184void html_link_open(char *url, char *title, char *class) 186void html_link_open(char *url, char *title, char *class)
185{ 187{
186 html("<a href='"); 188 html("<a href='");
187 html_attr(url); 189 html_attr(url);
188 if (title) { 190 if (title) {
189 html("' title='"); 191 html("' title='");
190 html_attr(title); 192 html_attr(title);
191 } 193 }
192 if (class) { 194 if (class) {
193 html("' class='"); 195 html("' class='");
194 html_attr(class); 196 html_attr(class);
195 } 197 }
196 html("'>"); 198 html("'>");
197} 199}
198 200
199void html_link_close(void) 201void html_link_close(void)
200{ 202{
201 html("</a>"); 203 html("</a>");
202} 204}
203 205
204void html_fileperm(unsigned short mode) 206void html_fileperm(unsigned short mode)
205{ 207{
206 htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), 208 htmlf("%c%c%c", (mode & 4 ? 'r' : '-'),
207 (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); 209 (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-'));
208} 210}
209 211
210int html_include(const char *filename) 212int html_include(const char *filename)
211{ 213{
212 FILE *f; 214 FILE *f;
213 char buf[4096]; 215 char buf[4096];
214 size_t len; 216 size_t len;
215 217
216 if (!(f = fopen(filename, "r"))) { 218 if (!(f = fopen(filename, "r"))) {
217 fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n", 219 fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n",
218 filename, strerror(errno), errno); 220 filename, strerror(errno), errno);