From 9f3fdaa06dd64db443ad1a2fa34672e4934933d5 Mon Sep 17 00:00:00 2001
From: Christian Hofstaedtler <christian@hofstaedtler.name>
Date: Mon, 30 Sep 2013 11:01:50 +0200
Subject: [PATCH] stat webserver: escape HTML characters

Log messages, queries, etc. would let HTML characters through unfiltered.

Fixes #1038.
---
 pdns/ws.cc | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/pdns/ws.cc b/pdns/ws.cc
index 8b1daadae..7c02d31d6 100644
--- a/pdns/ws.cc
+++ b/pdns/ws.cc
@@ -94,6 +94,26 @@ void *StatWebServer::threadHelper(void *p)
   return 0; // never reached
 }
 
+static string htmlescape(const string &s) {
+  string result;
+  for(string::const_iterator it=s.begin(); it!=s.end(); ++it) {
+    switch (*it) {
+    case '&':
+      result += "&amp";
+      break;
+    case '<':
+      result += "&lt;";
+      break;
+    case '>':
+      result += "&gt;";
+      break;
+    default:
+      result += *it;
+    }
+  }
+  return result;
+}
+
 void printtable(ostringstream &ret, const string &ringname, const string &title, int limit=10)
 {
   int tot=0;
@@ -124,7 +144,7 @@ void printtable(ostringstream &ret, const string &ringname, const string &title,
   int printed=0;
   int total=max(1,tot);
   for(vector<pair<string,unsigned int> >::const_iterator i=ring.begin();limit && i!=ring.end();++i,--limit) {
-    ret<<"<tr><td>"<<i->first<<"</td><td>"<<i->second<<"</td><td align=right>"<< StatWebServer::makePercentage(i->second*100.0/total)<<"</td>"<<endl;
+    ret<<"<tr><td>"<<htmlescape(i->first)<<"</td><td>"<<i->second<<"</td><td align=right>"<< StatWebServer::makePercentage(i->second*100.0/total)<<"</td>"<<endl;
     printed+=i->second;
   }
   ret<<"<tr><td colspan=3></td></tr>"<<endl;
-- 
2.50.1