From a36a0d9dec8a3ba79501d2526d648e44306f0fdd Mon Sep 17 00:00:00 2001 From: Lars Hjemli Date: Sun, 5 Oct 2008 12:49:46 +0200 Subject: [PATCH 1/2] html.c: add html_url_arg This function can be used to properly escape querystring parameter values. Signed-off-by: Lars Hjemli --- html.c | 16 ++++++++++++++++ html.h | 1 + 2 files changed, 17 insertions(+) diff --git a/html.c b/html.c index 36e9a2f..167127f 100644 --- a/html.c +++ b/html.c @@ -128,6 +128,22 @@ void html_attr(char *txt) html(txt); } +void html_url_arg(char *txt) +{ + char *t = txt; + while(t && *t){ + int c = *t; + if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { + write(htmlfd, txt, t - txt); + write(htmlfd, fmt("%%%2x", c), 3); + txt = t+1; + } + t++; + } + if (t!=txt) + html(txt); +} + void html_hidden(char *name, char *value) { html("foo+bar<" trash/tmp' +run_test 'verify foo+bar link' 'grep -e "/foo+bar/" trash/tmp' run_test 'no tree-link' '! grep -e "foo/tree" trash/tmp' run_test 'no log-link' '! grep -e "foo/log" trash/tmp' diff --git a/tests/t0104-tree.sh b/tests/t0104-tree.sh index 2516c72..0d62cc8 100755 --- a/tests/t0104-tree.sh +++ b/tests/t0104-tree.sh @@ -18,4 +18,16 @@ run_test 'no line 2' ' grep -e "2" trash/tmp ' +run_test 'generate foo+bar/tree' 'cgit_url "foo%2bbar/tree" >trash/tmp' + +run_test 'verify a+b link' ' + grep -e "/foo+bar/tree/a+b" trash/tmp +' + +run_test 'generate foo+bar/tree?h=1+2' 'cgit_url "foo%2bbar/tree&h=1%2b2" >trash/tmp' + +run_test 'verify a+b?h=1+2 link' ' + grep -e "/foo+bar/tree/a+b?h=1%2b2" trash/tmp +' + tests_done diff --git a/ui-shared.c b/ui-shared.c index c23bc75..a2f636c 100644 --- a/ui-shared.c +++ b/ui-shared.c @@ -221,21 +221,21 @@ static char *repolink(char *title, char *class, char *page, char *head, } else { html(ctx.cfg.script_name); html("?url="); - html_attr(ctx.repo->url); + html_url_arg(ctx.repo->url); if (ctx.repo->url[strlen(ctx.repo->url) - 1] != '/') html("/"); if (page) { - html(page); + html_url_arg(page); html("/"); if (path) - html_attr(path); + html_url_arg(path); } delim = "&"; } if (head && strcmp(head, ctx.repo->defbranch)) { html(delim); html("h="); - html_attr(head); + html_url_arg(head); delim = "&"; } return fmt("%s", delim); @@ -250,7 +250,7 @@ static void reporevlink(char *page, char *name, char *title, char *class, if (rev && strcmp(rev, ctx.qry.head)) { html(delim); html("id="); - html_attr(rev); + html_url_arg(rev); } html("'>"); html_txt(name); @@ -278,17 +278,17 @@ void cgit_log_link(char *name, char *title, char *class, char *head, if (rev && strcmp(rev, ctx.qry.head)) { html(delim); html("id="); - html_attr(rev); + html_url_arg(rev); delim = "&"; } if (grep && pattern) { html(delim); html("qt="); - html_attr(grep); + html_url_arg(grep); delim = "&"; html(delim); html("q="); - html_attr(pattern); + html_url_arg(pattern); } if (ofs > 0) { html(delim); @@ -333,13 +333,13 @@ void cgit_diff_link(char *name, char *title, char *class, char *head, if (new_rev && strcmp(new_rev, ctx.qry.head)) { html(delim); html("id="); - html_attr(new_rev); + html_url_arg(new_rev); delim = "&"; } if (old_rev) { html(delim); html("id2="); - html_attr(old_rev); + html_url_arg(old_rev); } html("'>"); html_txt(name);