From: Christian Hofstaedtler <christian@hofstaedtler.name>
Date: Mon, 30 Sep 2013 09:01:50 +0000 (+0200)
Subject: stat webserver: escape HTML characters
X-Git-Tag: rec-3.6.0-rc1~427^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f3fdaa06dd64db443ad1a2fa34672e4934933d5;p=pdns

stat webserver: escape HTML characters

Log messages, queries, etc. would let HTML characters through unfiltered.

Fixes #1038.
---

diff --git a/pdns/ws.cc b/pdns/ws.cc
index 8b1daadae..7c02d31d6 100644
--- a/pdns/ws.cc
+++ b/pdns/ws.cc
@@ -94,6 +94,26 @@ void *StatWebServer::threadHelper(void *p)
   return 0; // never reached
 }
 
+static string htmlescape(const string &s) {
+  string result;
+  for(string::const_iterator it=s.begin(); it!=s.end(); ++it) {
+    switch (*it) {
+    case '&':
+      result += "&amp";
+      break;
+    case '<':
+      result += "&lt;";
+      break;
+    case '>':
+      result += "&gt;";
+      break;
+    default:
+      result += *it;
+    }
+  }
+  return result;
+}
+
 void printtable(ostringstream &ret, const string &ringname, const string &title, int limit=10)
 {
   int tot=0;
@@ -124,7 +144,7 @@ void printtable(ostringstream &ret, const string &ringname, const string &title,
   int printed=0;
   int total=max(1,tot);
   for(vector<pair<string,unsigned int> >::const_iterator i=ring.begin();limit && i!=ring.end();++i,--limit) {
-    ret<<"<tr><td>"<<i->first<<"</td><td>"<<i->second<<"</td><td align=right>"<< StatWebServer::makePercentage(i->second*100.0/total)<<"</td>"<<endl;
+    ret<<"<tr><td>"<<htmlescape(i->first)<<"</td><td>"<<i->second<<"</td><td align=right>"<< StatWebServer::makePercentage(i->second*100.0/total)<<"</td>"<<endl;
     printed+=i->second;
   }
   ret<<"<tr><td colspan=3></td></tr>"<<endl;