From: Ruediger Pluem Date: Tue, 10 Jun 2025 15:31:19 +0000 (+0000) Subject: Add the escapehtml function to the expression API X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9771a826fd30380c9371812b04d3899b22bfbaa7;p=thirdparty%2Fapache%2Fhttpd.git Add the escapehtml function to the expression API Add the escapehtml function to the expression API, allowing to escape HTML strings to guard against HTML injections. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926342 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/escapehtml.txt b/changes-entries/escapehtml.txt new file mode 100644 index 0000000000..b15cbf5338 --- /dev/null +++ b/changes-entries/escapehtml.txt @@ -0,0 +1,2 @@ + *) Add the escapehtml function to the expression API, allowing to escape HTML + strings to guard against HTML injections. [Ruediger Pluem] diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index 450ee0eb39..3005ff6e98 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -605,6 +605,8 @@ DIGIT ::= <any US-ASCII digit "0".."9"> replace(string, "from", "to") replaces all occurrences of "from" in the string with "to". The first parameter must not be a literal string. + escapehtml + Escape a HTML string diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index f1424aa1a9..7a2a7da015 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -1422,6 +1422,12 @@ static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, } #endif +static const char *escapehtml_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) +{ + return ap_escape_html(ctx->p, arg); +} + static int replace_func_parse_arg(ap_expr_lookup_parms *parms) { const char *original = parms->arg; @@ -2092,6 +2098,7 @@ static const struct expr_provider_single string_func_providers[] = { { ldap_func, "ldap", NULL, 0 }, #endif { replace_func, "replace", replace_func_parse_arg, 0 }, + { escapehtml_func, "escapehtml", NULL, 0 }, { NULL, NULL, NULL} };