lib/html_quote.c

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #include "squid.h"
  10 #include "html_quote.h"
  11
  12 #if HAVE_STRING_H
  13 #include <string.h>
  14 #endif
  15
  16 /*
  17  *  HTML defines these characters as special entities that should be quoted.
  18  */
  19 static struct {
  20     unsigned char code;
  21     const char *quote;
  22 } htmlstandardentities[] =
  23
  24 {
  25     /* NOTE: The quoted form MUST not be larger than 6 character.
  26      * see close to the MemPool commend below
  27      */
  28     {
  29         '<', "&lt;"
  30     },
  31     {
  32         '>', "&gt;"
  33     },
  34     {
  35         '"', "&quot;"
  36     },
  37     {
  38         '&', "&amp;"
  39     },
  40     {
  41         '\'', "&#39;"
  42     },
  43     {
  44         0, NULL
  45     }
  46 };
  47
  48 /*
  49  *  html_do_quote - Returns a static buffer containing the quoted
  50  *  string.
  51  */
  52 char *
  53 html_quote(const char *string)
  54 {
  55     static char *buf;
  56     static size_t bufsize = 0;
  57     const char *src;
  58     char *dst;
  59     int i;
  60
  61     /* XXX This really should be implemented using a MemPool, but
  62      * MemPools are not yet available in lib...
  63      */
  64     if (buf == NULL || strlen(string) * 6 > bufsize) {
  65         xfree(buf);
  66         bufsize = strlen(string) * 6 + 1;
  67         buf = xcalloc(bufsize, 1);
  68     }
  69     for (src = string, dst = buf; *src; src++) {
  70         const char *escape = NULL;
  71         const unsigned char ch = *src;
  72
  73         /* Walk thru the list of HTML Entities that must be quoted to
  74          * display safely
  75          */
  76         for (i = 0; htmlstandardentities[i].code; i++) {
  77             if (ch == htmlstandardentities[i].code) {
  78                 escape = htmlstandardentities[i].quote;
  79                 break;
  80             }
  81         }
  82         /* Encode control chars just to be on the safe side, and make
  83          * sure all 8-bit characters are encoded to protect from buggy
  84          * clients
  85          */
  86         if (!escape && (ch <= 0x1F || ch >= 0x7f) && ch != '\n' && ch != '\r' && ch != '\t') {
  87             static char dec_encoded[7];
  88             snprintf(dec_encoded, sizeof dec_encoded, "&#%3d;", (int) ch);
  89             escape = dec_encoded;
  90         }
  91         if (escape) {
  92             /* Ok, An escaped form was found above. Use it */
  93             strncpy(dst, escape, 6);
  94             dst += strlen(escape);
  95         } else {
  96             /* Apparently there is no need to escape this character */
  97             *dst++ = ch;
  98         }
  99     }
 100     /* Nullterminate and return the result */
 101     *dst = '\0';
 102     return (buf);
 103 }
 104