From: Nick Kew Date: Thu, 8 Jan 2009 01:24:16 +0000 (+0000) Subject: Backport r730296: fix for HTML entity escaping in mod_include, X-Git-Tag: 2.2.12~286 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37d373a8f1f446a6559acbc578a3d330dce811fc;p=thirdparty%2Fapache%2Fhttpd.git Backport r730296: fix for HTML entity escaping in mod_include, including enhancement of ap_escape_html API. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@732583 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 9e2bf585742..32e9433c75e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.12 + *) mod_include: support generating non-ASCII characters as entities in SSI + PR 25202 [Nick Kew] + + *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars + [Nick Kew] + *) mod_rewrite: fix "B" flag breakage by reverting r589343 PR 45529 [Bob Ionescu ] diff --git a/STATUS b/STATUS index 6529e0aa56b..5f20e87bb7f 100644 --- a/STATUS +++ b/STATUS @@ -93,15 +93,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: http://svn.apache.org/viewvc?view=rev&revision=731594 +1: niq, rpluem, covener - * Enhance ap_escape_html to add an option to escape all non-ASCII - characters. Use this to fix mod_include's handling of entities. - PR 25202 - trunk: - http://svn.apache.org/viewvc?view=rev&revision=730296 - 2.2.x: - http://people.apache.org/~niq/patches/25202 - +1: niq, rpluem, covener - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index fbdd336d111..e5e5be55c94 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -135,6 +135,7 @@ * 20051115.19 (2.2.11) Added ap_timeout_parameter_parse to util.c / httpd.h * 20051115.20 (2.2.11) Add ap_proxy_buckets_lifetime_transform to mod_proxy.h * 20051115.21 (2.2.11) Export mod_rewrite.h in the public API + * 20051115.22 (2.2.12) Add ap_escape_html2 API, with additional option */ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ diff --git a/include/httpd.h b/include/httpd.h index a96e4d62097..30bdc71b7b4 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -1495,6 +1495,14 @@ AP_DECLARE(char *) ap_os_escape_path(apr_pool_t *p, const char *path, int partia * @return The escaped string */ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s); +/** + * Escape an html string + * @param p The pool to allocate from + * @param s The html to escape + * @param toasc Whether to escape all non-ASCII chars to &#nnn; + * @return The escaped string + */ +AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc); /** * Escape a string for logging diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c index 1c683880cef..acb3010472c 100644 --- a/modules/filters/mod_include.c +++ b/modules/filters/mod_include.c @@ -1812,7 +1812,8 @@ static apr_status_t handle_echo(include_ctx_t *ctx, ap_filter_t *f, echo_text = ap_escape_uri(ctx->dpool, val); break; case E_ENTITY: - echo_text = ap_escape_html(ctx->dpool, val); + /* PR#25202: escape anything non-ascii here */ + echo_text = ap_escape_html2(ctx->dpool, val, 1); break; } diff --git a/server/util.c b/server/util.c index 3c927c23957..e16b8eb24f1 100644 --- a/server/util.c +++ b/server/util.c @@ -1737,7 +1737,7 @@ AP_DECLARE(char *) ap_os_escape_path(apr_pool_t *p, const char *path, int partia /* ap_escape_uri is now a macro for os_escape_path */ -AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) +AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) { int i, j; char *x; @@ -1750,6 +1750,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) j += 4; else if (s[i] == '"') j += 5; + else if (toasc && !apr_isascii(s[i])) + j += 5; if (j == 0) return apr_pstrmemdup(p, s, i); @@ -1772,13 +1774,21 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) memcpy(&x[j], """, 6); j += 5; } + else if (toasc && !apr_isascii(s[i])) { + char *esc = apr_psprintf(p, "&#%3.3d;", (unsigned char)s[i]); + memcpy(&x[j], esc, 6); + j += 5; + } else x[j] = s[i]; x[j] = '\0'; return x; } - +AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) +{ + return ap_escape_html2(p, s, 0); +} AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str) { char *ret;