--- a/src/server/plugins/postgresql/service.c Thu Jan 27 15:50:42 2022 +0100 +++ b/src/server/plugins/postgresql/service.c Thu Jan 27 18:46:38 2022 +0100 @@ -76,7 +76,12 @@ if(nfields > 0) { net_printf(sn->csd, "<table>\n<tr>\n"); for(int i=0;i<nfields;i++) { - net_printf(sn->csd, "<th>%s</th>\n", PQfname(result, i)); + char *fieldName = PQfname(result, i); + char *fieldNameEscaped = util_html_escape(fieldName); + if(fieldNameEscaped) { + net_printf(sn->csd, "<th>%s</th>\n", fieldNameEscaped); + FREE(fieldNameEscaped); + } } net_printf(sn->csd, "</tr>\n"); @@ -84,7 +89,12 @@ for(int r=0;r<nrows;r++) { net_printf(sn->csd, "<tr>\n"); for(int c=0;c<nfields;c++) { - net_printf(sn->csd, "<td>%s</td>\n", PQgetvalue(result, r, c)); + char *fieldValue = PQgetvalue(result, r, c); + char *fieldValueEscaped = util_html_escape(fieldValue); + if(fieldValueEscaped) { + net_printf(sn->csd, "<td>%s</td>\n", fieldValueEscaped); + FREE(fieldValueEscaped); + } } net_printf(sn->csd, "</tr>\n"); }