Escape &<> when they appear in href text.

git-svn-id: svn://svn.tartarus.org/sgt/halibut@8743 cda61777-01e9-0310-a592-d414129be87e

diff --git a/bk_html.c b/bk_html.c
index 90800f1..e3202a5 100644 (file)
--- a/bk_html.c
+++ b/bk_html.c
@@ -2176,7 +2176,7 @@ static void html_words(htmloutput *ho, word *words, int flags,
                       htmlfile *file, keywordlist *keywords, htmlconfig *cfg)
 {
     word *w;
-    char *c;
+    char *c, *c2, *p, *q;
     int style, type;
 
     for (w = words; w; w = w->next) switch (w->type) {
@@ -2184,7 +2184,20 @@ static void html_words(htmloutput *ho, word *words, int flags,
        if (flags & LINKS) {
            element_open(ho, "a");
            c = utoa_dup(w->text, CS_ASCII);
-           element_attr(ho, "href", c);
+           c2 = snewn(1 + 10*strlen(c), char);
+           for (p = c, q = c2; *p; p++) {
+               if (*p == '&')
+                   q += sprintf(q, "&");
+               else if (*p == '<')
+                   q += sprintf(q, "&lt;");
+               else if (*p == '>')
+                   q += sprintf(q, "&gt;");
+               else
+                   *q++ = *p;
+           }
+           *q = '\0';
+           element_attr(ho, "href", c2);
+           sfree(c2);
            sfree(c);
        }
        break;

diff --git a/inputs/test.but b/inputs/test.but
index b1f669a..dddc2dd 100644 (file)
--- a/inputs/test.but
+++ b/inputs/test.but
@@ -278,6 +278,11 @@ Similarly, we should support things like hyperlinks
 and \e{in the \W{http://www.tartarus.org/}{middle} of them}, and also
 \e{at the \W{http://home.att.net/~cecw/lastpage.htm}{end}}.
 
+Here's a hyperlink containing some special characters:
+\W{http://a<b&c>d/}{here}. (Not that it'll \e{work}, but you can at
+least determine that it's been correctly escaped by inspection of
+the output HTML.)
+
 \#{FIXME: Unfortunately, we still don't quite do the right thing with
 references:
 How about a \e{reference to \k{subhead} here}? And at