diff options
author | Mark Lodato <lodatom@gmail.com> | 2010-02-10 00:12:43 (JST) |
---|---|---|
committer | Mark Lodato <lodatom@gmail.com> | 2010-02-10 00:12:43 (JST) |
commit | a2c6355f9fdede78ce46aeee39ef649637aaadf9 (patch) | |
tree | 4ed595f688691e7a35c5684ca59164bcc777b74c | |
parent | 8aab27f24de70acfbdcee31c634a4b1facf23b92 (diff) | |
download | cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.zip cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.tar.gz |
html: properly percent-escape URLs
The only valid characters for a URL are unreserved characters
a-zA-Z0-9_-.~ and the reserved characters !*'();:@&=+$,/?%#[] , as per
RFC 3986. Everything else must be escaped. Additionally, the # and
? always have special meaning, and the &, =, and + have special meaning
in a query string, so they too must be escaped. To make this easier,
a table of escapes is now used so that we do not have to call fmt() for
each character; if the entry is 0, no escaping is needed.
Signed-off-by: Mark Lodato <lodatom@gmail.com>
-rw-r--r-- | html.c | 36 |
1 files changed, 32 insertions, 4 deletions
@@ -13,6 +13,32 @@ | |||
13 | #include <string.h> | 13 | #include <string.h> |
14 | #include <errno.h> | 14 | #include <errno.h> |
15 | 15 | ||
16 | /* Percent-encoding of each character, except: a-zA-Z0-9!$()*,./:;@- */ | ||
17 | static const char* url_escape_table[256] = { | ||
18 | "%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09", | ||
19 | "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%10", "%11", "%12", "%13", | ||
20 | "%14", "%15", "%16", "%17", "%18", "%19", "%1a", "%1b", "%1c", "%1d", | ||
21 | "%1e", "%1f", "%20", 0, "%22", "%23", 0, "%25", "%26", "%27", 0, 0, 0, | ||
22 | "%2b", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%3c", "%3d", | ||
23 | "%3e", "%3f", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||
24 | 0, 0, 0, 0, 0, 0, 0, 0, 0, "%5c", 0, "%5e", 0, "%60", 0, 0, 0, 0, 0, | ||
25 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%7b", | ||
26 | "%7c", "%7d", 0, "%7f", "%80", "%81", "%82", "%83", "%84", "%85", | ||
27 | "%86", "%87", "%88", "%89", "%8a", "%8b", "%8c", "%8d", "%8e", "%8f", | ||
28 | "%90", "%91", "%92", "%93", "%94", "%95", "%96", "%97", "%98", "%99", | ||
29 | "%9a", "%9b", "%9c", "%9d", "%9e", "%9f", "%a0", "%a1", "%a2", "%a3", | ||
30 | "%a4", "%a5", "%a6", "%a7", "%a8", "%a9", "%aa", "%ab", "%ac", "%ad", | ||
31 | "%ae", "%af", "%b0", "%b1", "%b2", "%b3", "%b4", "%b5", "%b6", "%b7", | ||
32 | "%b8", "%b9", "%ba", "%bb", "%bc", "%bd", "%be", "%bf", "%c0", "%c1", | ||
33 | "%c2", "%c3", "%c4", "%c5", "%c6", "%c7", "%c8", "%c9", "%ca", "%cb", | ||
34 | "%cc", "%cd", "%ce", "%cf", "%d0", "%d1", "%d2", "%d3", "%d4", "%d5", | ||
35 | "%d6", "%d7", "%d8", "%d9", "%da", "%db", "%dc", "%dd", "%de", "%df", | ||
36 | "%e0", "%e1", "%e2", "%e3", "%e4", "%e5", "%e6", "%e7", "%e8", "%e9", | ||
37 | "%ea", "%eb", "%ec", "%ed", "%ee", "%ef", "%f0", "%f1", "%f2", "%f3", | ||
38 | "%f4", "%f5", "%f6", "%f7", "%f8", "%f9", "%fa", "%fb", "%fc", "%fd", | ||
39 | "%fe", "%ff" | ||
40 | }; | ||
41 | |||
16 | int htmlfd = STDOUT_FILENO; | 42 | int htmlfd = STDOUT_FILENO; |
17 | 43 | ||
18 | char *fmt(const char *format, ...) | 44 | char *fmt(const char *format, ...) |
@@ -135,9 +161,10 @@ void html_url_path(const char *txt) | |||
135 | const char *t = txt; | 161 | const char *t = txt; |
136 | while(t && *t){ | 162 | while(t && *t){ |
137 | int c = *t; | 163 | int c = *t; |
138 | if (c=='"' || c=='#' || c=='\'' || c=='?') { | 164 | const char *e = url_escape_table[c]; |
165 | if (e && c!='+' && c!='&' && c!='+') { | ||
139 | write(htmlfd, txt, t - txt); | 166 | write(htmlfd, txt, t - txt); |
140 | write(htmlfd, fmt("%%%2x", c), 3); | 167 | write(htmlfd, e, 3); |
141 | txt = t+1; | 168 | txt = t+1; |
142 | } | 169 | } |
143 | t++; | 170 | t++; |
@@ -151,9 +178,10 @@ void html_url_arg(const char *txt) | |||
151 | const char *t = txt; | 178 | const char *t = txt; |
152 | while(t && *t){ | 179 | while(t && *t){ |
153 | int c = *t; | 180 | int c = *t; |
154 | if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { | 181 | const char *e = url_escape_table[c]; |
182 | if (e) { | ||
155 | write(htmlfd, txt, t - txt); | 183 | write(htmlfd, txt, t - txt); |
156 | write(htmlfd, fmt("%%%2x", c), 3); | 184 | write(htmlfd, e, 3); |
157 | txt = t+1; | 185 | txt = t+1; |
158 | } | 186 | } |
159 | t++; | 187 | t++; |