From 0dfaac7284d7f1a54e957bba4a881d93328c1630 Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 10 Nov 2009 19:03:11 +0000 Subject: [PATCH] Escape &<> when they appear in href text. git-svn-id: svn://svn.tartarus.org/sgt/halibut@8743 cda61777-01e9-0310-a592-d414129be87e --- bk_html.c | 17 +++++++++++++++-- inputs/test.but | 5 +++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/bk_html.c b/bk_html.c index 90800f1..e3202a5 100644 --- a/bk_html.c +++ b/bk_html.c @@ -2176,7 +2176,7 @@ static void html_words(htmloutput *ho, word *words, int flags, htmlfile *file, keywordlist *keywords, htmlconfig *cfg) { word *w; - char *c; + char *c, *c2, *p, *q; int style, type; for (w = words; w; w = w->next) switch (w->type) { @@ -2184,7 +2184,20 @@ static void html_words(htmloutput *ho, word *words, int flags, if (flags & LINKS) { element_open(ho, "a"); c = utoa_dup(w->text, CS_ASCII); - element_attr(ho, "href", c); + c2 = snewn(1 + 10*strlen(c), char); + for (p = c, q = c2; *p; p++) { + if (*p == '&') + q += sprintf(q, "&"); + else if (*p == '<') + q += sprintf(q, "<"); + else if (*p == '>') + q += sprintf(q, ">"); + else + *q++ = *p; + } + *q = '\0'; + element_attr(ho, "href", c2); + sfree(c2); sfree(c); } break; diff --git a/inputs/test.but b/inputs/test.but index b1f669a..dddc2dd 100644 --- a/inputs/test.but +++ b/inputs/test.but @@ -278,6 +278,11 @@ Similarly, we should support things like hyperlinks and \e{in the \W{http://www.tartarus.org/}{middle} of them}, and also \e{at the \W{http://home.att.net/~cecw/lastpage.htm}{end}}. +Here's a hyperlink containing some special characters: +\W{http://ad/}{here}. (Not that it'll \e{work}, but you can at +least determine that it's been correctly escaped by inspection of +the output HTML.) + \#{FIXME: Unfortunately, we still don't quite do the right thing with references: How about a \e{reference to \k{subhead} here}? And at -- 2.11.0