file: escape strings in HTML output

Escape untrusted input like the request URL or filesystem paths in HTML outputs such as the directory listing or 404 error messages. This fixes certain XSS vulnerabilities which can be leveraged to further exploit the system. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-04 16:58:11 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-04 17:17:43 +0200
commit: 8109b957b668a90d4a9b00f1e9db3d8d7e491bf3 (patch)
tree: 89e4696334a6b8dae88a5dbc0cb6c89d4b801222 /utils.c
parent: d3b95607a7f0961038674c7651a50215a0eb2db1 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/utils.c b/utils.c
index 1c61c41..d990d7d 100644
--- a/utils.c
+++ b/utils.c
@@ -269,11 +269,11 @@ static bool is_html_special_char(char c)
 
 char *uh_htmlescape(const char *str)
 {
-	size_t len;
+	size_t i, len;
 	char *p, *copy;
 
-	for (p = str, len = 1; *p; p++)
-		if (is_html_special_char(*p))
+	for (i = 0, len = 1; str[i]; i++)
+		if (is_html_special_char(str[i]))
 			len += 6; /* &#x??; */
 		else
 			len++;
@@ -283,11 +283,11 @@ char *uh_htmlescape(const char *str)
 	if (!copy)
 		return NULL;
 
-	for (p = copy; *str; str++)
-		if (is_html_special_char(*str))
-			p += sprintf(p, "&#x%02x;", (unsigned int)*str);
+	for (i = 0, p = copy; str[i]; i++)
+		if (is_html_special_char(str[i]))
+			p += sprintf(p, "&#x%02x;", (unsigned int)str[i]);
 		else
-			*p++ = *str;
+			*p++ = str[i];
 
 	return copy;
 }
author	Jo-Philipp Wich <jo@mein.io>	2018-04-04 16:58:11 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-04 17:17:43 +0200
commit	8109b957b668a90d4a9b00f1e9db3d8d7e491bf3 (patch)
tree	89e4696334a6b8dae88a5dbc0cb6c89d4b801222 /utils.c
parent	d3b95607a7f0961038674c7651a50215a0eb2db1 (diff)