Mercurial > hg > webserver / changeset

changeset

escape html output in pg_query webdav

Thu, 27 Jan 2022 18:46:38 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Thu, 27 Jan 2022 18:46:38 +0100
branch
webdav
changeset 274
607712fb3c66
parent 273
f4eb5d125e58
child 275
535004faa1a5

escape html output in pg_query

src/server/plugins/postgresql/service.c file | annotate | diff | comparison | revisions
src/server/public/nsapi.h file | annotate | diff | comparison | revisions
src/server/util/util.h file | annotate | diff | comparison | revisions 
--- a/src/server/plugins/postgresql/service.c	Thu Jan 27 15:50:42 2022 +0100
+++ b/src/server/plugins/postgresql/service.c	Thu Jan 27 18:46:38 2022 +0100
@@ -76,7 +76,12 @@
     if(nfields > 0) {
         net_printf(sn->csd, "<table>\n<tr>\n");
         for(int i=0;i<nfields;i++) {
-            net_printf(sn->csd, "<th>%s</th>\n", PQfname(result, i));
+            char *fieldName = PQfname(result, i);
+            char *fieldNameEscaped = util_html_escape(fieldName);
+            if(fieldNameEscaped) {
+                net_printf(sn->csd, "<th>%s</th>\n", fieldNameEscaped);
+                FREE(fieldNameEscaped);
+            }
         }
         net_printf(sn->csd, "</tr>\n");
         
@@ -84,7 +89,12 @@
         for(int r=0;r<nrows;r++) {
             net_printf(sn->csd, "<tr>\n");
             for(int c=0;c<nfields;c++) {
-                net_printf(sn->csd, "<td>%s</td>\n", PQgetvalue(result, r, c));
+                char *fieldValue = PQgetvalue(result, r, c);
+                char *fieldValueEscaped = util_html_escape(fieldValue);
+                if(fieldValueEscaped) {
+                    net_printf(sn->csd, "<td>%s</td>\n", fieldValueEscaped);
+                    FREE(fieldValueEscaped);
+                }
             }
             net_printf(sn->csd, "</tr>\n");
         }
--- a/src/server/public/nsapi.h	Thu Jan 27 15:50:42 2022 +0100
+++ b/src/server/public/nsapi.h	Thu Jan 27 18:46:38 2022 +0100
@@ -1612,6 +1612,9 @@
 ResourceData* resourcepool_lookup(Session *sn, Request *rq, const char *name, int flags);
 void resourcepool_free(Session *sn, Request *rq, ResourceData *resource);
 
+// utils
+NSAPI_PUBLIC char *util_html_escape(const char *s);
+
 // assert
 void ws_log_assert(const char *file, const char *func, int line);
 #ifdef _DEBUG
--- a/src/server/util/util.h	Thu Jan 27 15:50:42 2022 +0100
+++ b/src/server/util/util.h	Thu Jan 27 18:46:38 2022 +0100
@@ -229,8 +229,6 @@
 
 NSAPI_PUBLIC int64_t util_atoi64(const char *a);
 
-NSAPI_PUBLIC char *util_html_escape(const char *s);
-
 NSAPI_PUBLIC int util_qtoi(const char *q, const char **p);
 
 /* path utils */

Mercurial Repository: webserver

mercurial