aboutsummaryrefslogtreecommitdiffstats
path: root/html.c
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2016-01-14 14:28:37 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2016-01-14 14:28:37 +0100
commit513b3863d999f91b47d7e9f26710390db55f9463 (patch)
treef704af1ea3f8da9b3b2904fbe8ed8233278314c6 /html.c
parent4291453ec30656c2f59645d8a74cf295ce0253a9 (diff)
downloadcgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.gz
cgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.bz2
cgit-513b3863d999f91b47d7e9f26710390db55f9463.zip
ui-shared: prevent malicious filename from injecting headers
Diffstat (limited to 'html.c')
-rw-r--r--html.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/html.c b/html.c
index 959148c..d89df3a 100644
--- a/html.c
+++ b/html.c
@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
html(txt);
}
+void html_header_arg_in_quotes(const char *txt)
+{
+ const char *t = txt;
+ while (t && *t) {
+ unsigned char c = *t;
+ const char *e = NULL;
+ if (c == '\\')
+ e = "\\\\";
+ else if (c == '\r')
+ e = "\\r";
+ else if (c == '\n')
+ e = "\\n";
+ else if (c == '"')
+ e = "\\\"";
+ if (e) {
+ html_raw(txt, t - txt);
+ html(e);
+ txt = t + 1;
+ }
+ t++;
+ }
+ if (t != txt)
+ html(txt);
+
+}
+
void html_hidden(const char *name, const char *value)
{
html("<input type='hidden' name='");