]> git.ipfire.org Git - thirdparty/rrdtool-1.x.git/commitdiff
projects / thirdparty / rrdtool-1.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 236e71a)
be more agressive in extracting bad characters from cgi variables
authorTobias Oetiker <tobi@oetiker.ch>
Tue, 12 Oct 2021 08:35:43 +0000 (10:35 +0200)
committerTobias Oetiker <tobi@oetiker.ch>
Tue, 12 Oct 2021 08:35:43 +0000 (10:35 +0200)
src/rrd_cgi.c patch | blob | blame | history

diff --git a/src/rrd_cgi.c b/src/rrd_cgi.c
index e58069f61689e1e6d53f14f79c348eb9fec8f5fb..36a799762202ad849eac4f69d56e4bb88f981486 100644 (file)
--- a/src/rrd_cgi.c
+++ b/src/rrd_cgi.c
@@ -792,7 +792,8 @@ static char *rrdstrip(
 
     p = buf;
     while (*p) {
-        if (*p == '<' || *p == '>') {
+        if (*p == '<' || *p == '>' ||
+            *p == '&' || *p < ' ' || *p > '\'' || *p == '"') {
             *p = '_';
         }
         p++;
@@ -919,7 +920,7 @@ static char *drawgraph(
             break;
     if (i == argc) {
         args[argc++] = "--imginfo";
-        args[argc++] = "<IMG SRC=\"./%s\" WIDTH=\"%lu\" HEIGHT=\"%lu\">";
+        args[argc++] = "<img src=\"./%s\" width=\"%lu\" height=\"%lu\" />";
     }
     calfree();
     if (rrd_graph
Mirror of https://github.com/oetiker/rrdtool-1.x.git