From c28af79329264a7cf331a1b1c414919e4ed9e9f9 Mon Sep 17 00:00:00 2001 From: Vicent Marti Date: Tue, 2 Sep 2014 13:37:34 +0200 Subject: It buiiiilds --- src/html/houdini_html_e.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 src/html/houdini_html_e.c (limited to 'src/html/houdini_html_e.c') diff --git a/src/html/houdini_html_e.c b/src/html/houdini_html_e.c new file mode 100644 index 0000000..316c5ce --- /dev/null +++ b/src/html/houdini_html_e.c @@ -0,0 +1,89 @@ +#include +#include +#include + +#include "html/houdini.h" + +/** + * According to the OWASP rules: + * + * & --> & + * < --> < + * > --> > + * " --> " + * ' --> ' ' is not recommended + * / --> / forward slash is included as it helps end an HTML entity + * + */ +static const char HTML_ESCAPE_TABLE[] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 1, 0, 0, 0, 2, 3, 0, 0, 0, 0, 0, 0, 0, 4, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 6, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, +}; + +static const char *HTML_ESCAPES[] = { + "", + """, + "&", + "'", + "/", + "<", + ">" +}; + +int +houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) +{ + size_t i = 0, org, esc = 0; + + while (i < size) { + org = i; + while (i < size && (esc = HTML_ESCAPE_TABLE[src[i]]) == 0) + i++; + + if (i > org) { + if (unlikely(org == 0)) { + if (i >= size) + return 0; + + gh_buf_grow(ob, HOUDINI_ESCAPED_SIZE(size)); + } + + gh_buf_put(ob, src + org, i - org); + } + + /* escaping */ + if (unlikely(i >= size)) + break; + + /* The forward slash is only escaped in secure mode */ + if (src[i] == '/' && !secure) { + gh_buf_putc(ob, '/'); + } else { + gh_buf_puts(ob, HTML_ESCAPES[esc]); + } + + i++; + } + + return 1; +} + +int +houdini_escape_html(gh_buf *ob, const uint8_t *src, size_t size) +{ + return houdini_escape_html0(ob, src, size, 1); +} -- cgit v1.2.3 From a7314deae649646f1f7ce5ede972641b5b62538c Mon Sep 17 00:00:00 2001 From: Vicent Marti Date: Wed, 3 Sep 2014 03:40:23 +0200 Subject: 338/103 --- src/html/houdini_html_e.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'src/html/houdini_html_e.c') diff --git a/src/html/houdini_html_e.c b/src/html/houdini_html_e.c index 316c5ce..5cdd3dd 100644 --- a/src/html/houdini_html_e.c +++ b/src/html/houdini_html_e.c @@ -54,16 +54,8 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) while (i < size && (esc = HTML_ESCAPE_TABLE[src[i]]) == 0) i++; - if (i > org) { - if (unlikely(org == 0)) { - if (i >= size) - return 0; - - gh_buf_grow(ob, HOUDINI_ESCAPED_SIZE(size)); - } - + if (i > org) gh_buf_put(ob, src + org, i - org); - } /* escaping */ if (unlikely(i >= size)) -- cgit v1.2.3 From 9830d3a05a374a0d05676301bd4065917b59ad53 Mon Sep 17 00:00:00 2001 From: Vicent Marti Date: Thu, 4 Sep 2014 17:42:12 +0200 Subject: 430/11 --- src/html/houdini_html_e.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/html/houdini_html_e.c') diff --git a/src/html/houdini_html_e.c b/src/html/houdini_html_e.c index 5cdd3dd..95b6c41 100644 --- a/src/html/houdini_html_e.c +++ b/src/html/houdini_html_e.c @@ -62,8 +62,8 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) break; /* The forward slash is only escaped in secure mode */ - if (src[i] == '/' && !secure) { - gh_buf_putc(ob, '/'); + if ((src[i] == '/' || src[i] == '\'') && !secure) { + gh_buf_putc(ob, src[i]); } else { gh_buf_puts(ob, HTML_ESCAPES[esc]); } -- cgit v1.2.3 From 543c2c94d71adee42c7bd2f8027d75c87ed8120d Mon Sep 17 00:00:00 2001 From: Vicent Marti Date: Thu, 4 Sep 2014 18:38:14 +0200 Subject: Rename to strbuf --- src/html/houdini_html_e.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src/html/houdini_html_e.c') diff --git a/src/html/houdini_html_e.c b/src/html/houdini_html_e.c index 95b6c41..f2e86fe 100644 --- a/src/html/houdini_html_e.c +++ b/src/html/houdini_html_e.c @@ -45,7 +45,7 @@ static const char *HTML_ESCAPES[] = { }; int -houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) +houdini_escape_html0(strbuf *ob, const uint8_t *src, size_t size, int secure) { size_t i = 0, org, esc = 0; @@ -55,7 +55,7 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) i++; if (i > org) - gh_buf_put(ob, src + org, i - org); + strbuf_put(ob, src + org, i - org); /* escaping */ if (unlikely(i >= size)) @@ -63,9 +63,9 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) /* The forward slash is only escaped in secure mode */ if ((src[i] == '/' || src[i] == '\'') && !secure) { - gh_buf_putc(ob, src[i]); + strbuf_putc(ob, src[i]); } else { - gh_buf_puts(ob, HTML_ESCAPES[esc]); + strbuf_puts(ob, HTML_ESCAPES[esc]); } i++; @@ -75,7 +75,7 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure) } int -houdini_escape_html(gh_buf *ob, const uint8_t *src, size_t size) +houdini_escape_html(strbuf *ob, const uint8_t *src, size_t size) { return houdini_escape_html0(ob, src, size, 1); } -- cgit v1.2.3