Created poststr_escaped

src/httpserver/http_fns.c

@@ -137,7 +137,9 @@ void add_label_input(http_request_t* request, char* inputType, char* label, char
 
 	//These individual strings should be less than 256 .. yes hprintf255 uses 256 char buffer
 	hprintf255(request, "<label for=\"%s\">%s:</label><br>", fieldId, label);
-	hprintf255(request, "<input type=\"%s\" id=\"%s\" name=\"%s\" value=\"%s\">", inputType, fieldId, fieldId, value);
+	hprintf255(request, "<input type=\"%s\" id=\"%s\" name=\"%s\" value=\"", inputType, fieldId, fieldId);
+	poststr_escaped(request, value);	//All values should be escaped to ensure generate HTML is correct
+	poststr(request, "\">");
 }
 
 /// @brief Generates a pair of label and text field elements.
@@ -885,10 +887,7 @@ int http_fn_cfg_name(http_request_t* request) {
 
 	poststr(request, "<h2> Use this to change device names</h2>");
 	add_label_text_field(request, "ShortName", "shortName", CFG_GetShortDeviceName(), "<form action=\"/cfg_name\">");
-
-	char escapedDeviceName[256];
-	html_escape(CFG_GetDeviceName(), escapedDeviceName, sizeof(escapedDeviceName));
-	add_label_text_field(request, "Full Name", "name", escapedDeviceName, "<br>");
+	add_label_text_field(request, "Full Name", "name", CFG_GetDeviceName(), "<br>");
 
 	poststr(request, "<br><br>");
 	poststr(request, "<input type=\"submit\" value=\"Submit\" "

src/httpserver/new_http.c

@@ -140,75 +140,61 @@ int my_strnicmp(char* a, char* b, int len) {
 }
 
 
-/// @brief Escape special characters in html.
-/// @param in
-/// @param outBuffer 
-/// @param outBufferLength
-/// @param script_safe Pass true, if the content part of script
-void html_escape(char* in, char* outBuffer, int outBufferLength) {
-	int outPos = 0;
-	bool canCopy = true;
-	for (int i = 0; canCopy && (i < strlen(in)); i++) {
-		switch (in[i]) {
+/// @brief Write escaped data to the response.
+/// @param request
+/// @param str
+void poststr_escaped(http_request_t* request, char* str) {
+	if (str == NULL) {
+		postany(request, NULL, 0);
+		return;
+	}
+
+	int i;
+	bool foundChar = false;
+	int len = strlen(str);
+
+	//Do a quick check if escaping is necessary
+	for (i = 0; (foundChar == false) && (i < len); i++) {
+		switch (str[i]) {
 		case '<':
-			if ((outPos + 5) < outBufferLength) {
-				outBuffer[outPos++] = '&';
-				outBuffer[outPos++] = 'l';
-				outBuffer[outPos++] = 't';
-				outBuffer[outPos++] = ';';
-			}
-			else {
-				canCopy = false;
-			}
+			foundChar = true;
 			break;
 		case '>':
-			if ((outPos + 5) < outBufferLength) {
-				outBuffer[outPos++] = '&';
-				outBuffer[outPos++] = 'g';
-				outBuffer[outPos++] = 't';
-				outBuffer[outPos++] = ';';
-			}
-			else {
-				canCopy = false;
-			}
+			foundChar = true;
 			break;
 		case '&':
-			if ((outPos + 6) < outBufferLength) {
-				outBuffer[outPos++] = '&';
-				outBuffer[outPos++] = 'a';
-				outBuffer[outPos++] = 'm';
-				outBuffer[outPos++] = 'p';
-				outBuffer[outPos++] = ';';
-			}
-			else {
-				canCopy = false;
-			}
+			foundChar = true;
 			break;
 		case '"':
-			if ((outPos + 7) < outBufferLength) {
-				outBuffer[outPos++] = '&';
-				outBuffer[outPos++] = 'q';
-				outBuffer[outPos++] = 'u';
-				outBuffer[outPos++] = 'o';
-				outBuffer[outPos++] = 't';
-				outBuffer[outPos++] = ';';
-			}
-			else {
-				canCopy = false;
-			}
-			break;
-		default:
-			if ((outPos + 1) < outBufferLength) {
-				outBuffer[outPos++] = in[i];
-			}
-			else {
-				canCopy = false;
-			}
+			foundChar = true;
 			break;
 		}
 	}
 
-	outBuffer[outPos] = 0;
+	if (foundChar) {
+		for (i = 0; i < len; i++) {
+			switch (str[i]) {
+			case '<':
+				postany(request, "&lt;", 4);
+				break;
+			case '>':
+				postany(request, "&gt;", 4);
+				break;
+			case '&':
+				postany(request, "&amp;", 5);
+				break;
+			case '"':
+				postany(request, "&quot;", 6);
+				break;
+			default:
+				postany(request, str + i, 1);
+				break;
+			}
+		}
+	}
+	else {
+		postany(request, str, strlen(str));
+	}
 }
 
 bool http_startsWith(const char* base, const char* substr) {
@@ -248,14 +234,10 @@ void http_setup(http_request_t* request, const char* type) {
 void http_html_start(http_request_t* request, const char* pagename) {
 	poststr(request, htmlDoctype);
 	poststr(request, "<head><title>");
-
-	char escapedDeviceName[256];
-	html_escape(CFG_GetDeviceName(), escapedDeviceName, sizeof(escapedDeviceName));
-	poststr(request, escapedDeviceName);
+	poststr_escaped(request, CFG_GetDeviceName());
 
 	if (pagename) {
-		poststr(request, " - ");
-		poststr(request, pagename);
+		hprintf255(request, " - %s", pagename);
 	}
 	poststr(request, "</title>");
 	poststr(request, htmlShortcutIcon);
@@ -263,7 +245,7 @@ void http_html_start(http_request_t* request, const char* pagename) {
 	poststr(request, htmlHeadStyle);
 	poststr(request, "</head>");
 	poststr(request, htmlBodyStart);
-	poststr(request, escapedDeviceName);
+	poststr_escaped(request, CFG_GetDeviceName());
 	poststr(request, htmlBodyStart2);
 }
 

src/httpserver/new_http.h

@@ -61,6 +61,7 @@ void http_setup(http_request_t* request, const char* type);
 void http_html_start(http_request_t* request, const char* pagename);
 void http_html_end(http_request_t* request);
 int poststr(http_request_t* request, const char* str);
+void poststr_escaped(http_request_t* request, char* str);
 int postany(http_request_t* request, const char* str, int len);
 void misc_formatUpTimeString(int totalSeconds, char* o);
 // void HTTP_AddBuildFooter(http_request_t *request);
@@ -85,6 +86,4 @@ typedef int (*http_callback_fn)(http_request_t* request);
 // urls must be unique (i.e. you can't have /about and /aboutme or /about/me)
 int HTTP_RegisterCallback(const char* url, int method, http_callback_fn callback);
 
-void html_escape(char* in, char* outBuffer, int outBufferLength);
-
 #endif

src/httpserver/rest_interface.c

@@ -260,9 +260,9 @@ static int http_rest_app(http_request_t* request) {
 	if (webhost && ourip) {
 		poststr(request, htmlDoctype);
 
-		char escapedDeviceName[256];
-		html_escape(CFG_GetDeviceName(), escapedDeviceName, sizeof(escapedDeviceName));
-		hprintf255(request, "<head><title>%s</title>", escapedDeviceName);
+		poststr(request, "<head><title>");
+		poststr_escaped(request, CFG_GetDeviceName());
+		poststr(request, "</title>");
 
 		poststr(request, htmlShortcutIcon);
 		poststr(request, htmlHeadMeta);