html: properly percent-escape URLs

The only valid characters for a URL are unreserved characters
a-zA-Z0-9_-.~ and the reserved characters !*'();:@&=+$,/?%#[] , as per
RFC 3986.  Everything else must be escaped.  Additionally, the # and
? always have special meaning, and the &, =, and + have special meaning
in a query string, so they too must be escaped.  To make this easier,
a table of escapes is now used so that we do not have to call fmt() for
each character; if the entry is 0, no escaping is needed.

Signed-off-by: Mark Lodato <lodatom@gmail.com>
This commit is contained in:
Mark Lodato 2010-02-09 10:12:43 -05:00
vanhempi 8aab27f24d
commit a2c6355f9f

36
html.c
Näytä tiedosto

@ -13,6 +13,32 @@
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
/* Percent-encoding of each character, except: a-zA-Z0-9!$()*,./:;@- */
static const char* url_escape_table[256] = {
"%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09",
"%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%10", "%11", "%12", "%13",
"%14", "%15", "%16", "%17", "%18", "%19", "%1a", "%1b", "%1c", "%1d",
"%1e", "%1f", "%20", 0, "%22", "%23", 0, "%25", "%26", "%27", 0, 0, 0,
"%2b", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%3c", "%3d",
"%3e", "%3f", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, "%5c", 0, "%5e", 0, "%60", 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%7b",
"%7c", "%7d", 0, "%7f", "%80", "%81", "%82", "%83", "%84", "%85",
"%86", "%87", "%88", "%89", "%8a", "%8b", "%8c", "%8d", "%8e", "%8f",
"%90", "%91", "%92", "%93", "%94", "%95", "%96", "%97", "%98", "%99",
"%9a", "%9b", "%9c", "%9d", "%9e", "%9f", "%a0", "%a1", "%a2", "%a3",
"%a4", "%a5", "%a6", "%a7", "%a8", "%a9", "%aa", "%ab", "%ac", "%ad",
"%ae", "%af", "%b0", "%b1", "%b2", "%b3", "%b4", "%b5", "%b6", "%b7",
"%b8", "%b9", "%ba", "%bb", "%bc", "%bd", "%be", "%bf", "%c0", "%c1",
"%c2", "%c3", "%c4", "%c5", "%c6", "%c7", "%c8", "%c9", "%ca", "%cb",
"%cc", "%cd", "%ce", "%cf", "%d0", "%d1", "%d2", "%d3", "%d4", "%d5",
"%d6", "%d7", "%d8", "%d9", "%da", "%db", "%dc", "%dd", "%de", "%df",
"%e0", "%e1", "%e2", "%e3", "%e4", "%e5", "%e6", "%e7", "%e8", "%e9",
"%ea", "%eb", "%ec", "%ed", "%ee", "%ef", "%f0", "%f1", "%f2", "%f3",
"%f4", "%f5", "%f6", "%f7", "%f8", "%f9", "%fa", "%fb", "%fc", "%fd",
"%fe", "%ff"
};
int htmlfd = STDOUT_FILENO; int htmlfd = STDOUT_FILENO;
char *fmt(const char *format, ...) char *fmt(const char *format, ...)
@ -135,9 +161,10 @@ void html_url_path(const char *txt)
const char *t = txt; const char *t = txt;
while(t && *t){ while(t && *t){
int c = *t; int c = *t;
if (c=='"' || c=='#' || c=='\'' || c=='?') { const char *e = url_escape_table[c];
if (e && c!='+' && c!='&' && c!='+') {
write(htmlfd, txt, t - txt); write(htmlfd, txt, t - txt);
write(htmlfd, fmt("%%%2x", c), 3); write(htmlfd, e, 3);
txt = t+1; txt = t+1;
} }
t++; t++;
@ -151,9 +178,10 @@ void html_url_arg(const char *txt)
const char *t = txt; const char *t = txt;
while(t && *t){ while(t && *t){
int c = *t; int c = *t;
if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { const char *e = url_escape_table[c];
if (e) {
write(htmlfd, txt, t - txt); write(htmlfd, txt, t - txt);
write(htmlfd, fmt("%%%2x", c), 3); write(htmlfd, e, 3);
txt = t+1; txt = t+1;
} }
t++; t++;