]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
projects / thirdparty / apache / httpd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: af61c91)
Add the escapehtml function to the expression API
authorRuediger Pluem <rpluem@apache.org>
Tue, 10 Jun 2025 15:31:19 +0000 (15:31 +0000)
committerRuediger Pluem <rpluem@apache.org>
Tue, 10 Jun 2025 15:31:19 +0000 (15:31 +0000)
Add the escapehtml function to the expression API, allowing to escape HTML
strings to guard against HTML injections.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926342 13f79535-47bb-0310-9956-ffa450edef68

changes-entries/escapehtml.txt [new file with mode: 0644] patch | blob
docs/manual/expr.xml patch | blob | blame | history
server/util_expr_eval.c patch | blob | blame | history

diff --git a/changes-entries/escapehtml.txt b/changes-entries/escapehtml.txt
new file mode 100644 (file)
index 0000000..b15cbf5
--- /dev/null
+++ b/changes-entries/escapehtml.txt
@@ -0,0 +1,2 @@
+ *) Add the escapehtml function to the expression API, allowing to escape HTML
+    strings to guard against HTML injections. [Ruediger Pluem]
diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml
index 450ee0eb394ec627bc4b0a71fdef61954da76e5e..3005ff6e980bba3b4b929b2e68062195175d0939 100644 (file)
--- a/docs/manual/expr.xml
+++ b/docs/manual/expr.xml
@@ -605,6 +605,8 @@ DIGIT       ::= &lt;any US-ASCII digit "0".."9"&gt;
         <td>replace(string, "from", "to") replaces all occurrences of "from"
             in the string with "to". The first parameter must not be a literal string.
             </td><td></td></tr>
+    <tr><td><code>escapehtml</code></td>
+        <td>Escape a HTML string</td><td></td></tr>
 
     </table>
 
diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index f1424aa1a915e4c6e24e7e96f13552e79dcb4953..7a2a7da01540d41fd58a1855946e01bc3c45fec2 100644 (file)
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -1422,6 +1422,12 @@ static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
 }
 #endif
 
+static const char *escapehtml_func(ap_expr_eval_ctx_t *ctx, const void *data,
+                                   const char *arg)
+{
+    return ap_escape_html(ctx->p, arg);
+}
+
 static int replace_func_parse_arg(ap_expr_lookup_parms *parms)
 {
     const char *original = parms->arg;
@@ -2092,6 +2098,7 @@ static const struct expr_provider_single string_func_providers[] = {
     { ldap_func,            "ldap",           NULL, 0 },
 #endif
     { replace_func,         "replace",        replace_func_parse_arg, 0 },
+    { escapehtml_func,      "escapehtml",     NULL, 0 },
     { NULL, NULL, NULL}
 };
 
Mirror of https://github.com/apache/httpd.git