ui-shared: prevent malicious filename from injecting headers

2025-08-02 00:54:36 +02:00 · 2016-01-14 14:28:37 +01:00 · 2016-01-14 14:28:37 +01:00 · 513b3863d9
commit 513b3863d9
parent 4291453ec3
3 changed files with 32 additions and 3 deletions
--- a/html.c
+++ b/html.c
@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
 		html(txt);
 }

+void html_header_arg_in_quotes(const char *txt)
+{
+	const char *t = txt;
+	while (t && *t) {
+		unsigned char c = *t;
+		const char *e = NULL;
+		if (c == '\\')
+			e = "\\\\";
+		else if (c == '\r')
+			e = "\\r";
+		else if (c == '\n')
+			e = "\\n";
+		else if (c == '"')
+			e = "\\\"";
+		if (e) {
+			html_raw(txt, t - txt);
+			html(e);
+			txt = t + 1;
+		}
+		t++;
+	}
+	if (t != txt)
+		html(txt);
+
+}
+
 void html_hidden(const char *name, const char *value)
 {
 	html("<input type='hidden' name='");