From a5769a5db00f8dcfbd90405eb1376a9643076942 Mon Sep 17 00:00:00 2001
From: Indu Prakash <leolite1@gmail.com>
Date: Fri, 4 Nov 2022 19:15:48 -0500
Subject: [PATCH] Added shortcut icon, Escaped deviceName at some places

---
 favicon.ico                     | Bin 0 -> 1150 bytes
 src/httpserver/http_fns.c       |   6 +-
 src/httpserver/new_http.c       |  95 ++++++++++++++++++++--
 src/httpserver/new_http.h       |   6 ++
 src/httpserver/rest_interface.c | 137 +++++++++++---------------------
 5 files changed, 144 insertions(+), 100 deletions(-)
 create mode 100644 favicon.ico

diff --git a/favicon.ico b/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..8a0ccd5194c78f5ce2708e1c0e780ea77d18c78f
GIT binary patch
literal 1150
zcmcgqy9xq944gy3_9|;TAFYL@zaxHyUuEs5Soj&jniz&;vkNCE-Vw8zWM;CQz##89
zLVi~`&4DF=jf6mg7%mBr-XEVLUNJtg=Df}poQs9&Y=d4;E6-2WS;ObmH~VuJ_A=Y*
zS|f6Jw!7>To%eQMn{(WK9dnV^SNY{?5${s(L51)6ao^sqJ&f*_caqvYxG%H$)J&^t
zZq$lr-y>@{-#n)3%-5RV=I}nZJG0;8W{k7Ux&M<||LM;o@K^)4nZ<npT!uOnV_#>L
Gqudv@ehZlZ

literal 0
HcmV?d00001

diff --git a/src/httpserver/http_fns.c b/src/httpserver/http_fns.c
index abdea3f58..be2840907 100644
--- a/src/httpserver/http_fns.c
+++ b/src/httpserver/http_fns.c
@@ -885,7 +885,11 @@ int http_fn_cfg_name(http_request_t* request) {
 
 	poststr(request, "<h2> Use this to change device names</h2>");
 	add_label_text_field(request, "ShortName", "shortName", CFG_GetShortDeviceName(), "<form action=\"/cfg_name\">");
-	add_label_text_field(request, "Full Name", "name", CFG_GetDeviceName(), "<br>");
+
+	char escapedDeviceName[256];
+	html_escape(CFG_GetDeviceName(), escapedDeviceName, 255);
+	add_label_text_field(request, "Full Name", "name", escapedDeviceName, "<br>");
+
 	poststr(request, "<br><br>");
 	poststr(request, "<input type=\"submit\" value=\"Submit\" "
 		"onclick=\"return confirm('Are you sure? "
diff --git a/src/httpserver/new_http.c b/src/httpserver/new_http.c
index 5514d7a9f..21a6a9664 100644
--- a/src/httpserver/new_http.c
+++ b/src/httpserver/new_http.c
@@ -19,9 +19,12 @@ const char httpMimeTypeHTML[] = "text/html";              // HTML MIME type
 const char httpMimeTypeText[] = "text/plain";           // TEXT MIME type
 const char httpMimeTypeJson[] = "application/json";           // TEXT MIME type
 const char httpMimeTypeBinary[] = "application/octet-stream";   // binary/file MIME type
+
+const char htmlShortcutIcon[] = "<link rel='shortcut icon' href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAHESURBVDhPpZPLS1VhFMV/pyuFb1HIHhDcixGU/glpNKg7ihLCMnOUQQ/6K5LmIg0ciQMRFMeZIMmlbFxEFIaYUCGIUQoRer7Wut/B8BVFC9Y5++y9Nuxvffsk7I9asVcM4oi4Jv4TStdaCF2i4tmY+jNaxZfiotjfXEWa3iWYzZWkzmU1a6zdhbmhc6Tvu0lPNRCqKwibdyKrFDvnmjXSvogtcCB7G0faj8HJBpLxi7ChwRe+RW4qnlDONWuEo+WnkMvexuHpJdo7JGhrgjONhOdf4O0q3D4NHcdJXq9A5xOSlR88ln4mtkW3Sz6nxz6UI0wWSfP1hGJfpGPnXLMm86TkXl/jPbk9OHpB9+Wxv8PkB8JMK8mDIVWFgT44/4bQWSDJ10Giru6nMDbPfXvgvt/Y9rE/Mln5VSPOeiy7vXUEuV68tfsI1mRH8G7U2MSf4vD6BgcLdZydvhQNO1FNqF+C/DJcb4ErGv9yAaY+ahnWeKSem1nvFhZ9z0GL86orTjLfI96IsXOuWWNtbNm+B5+ffYJ3XwlXp6BCRuV1PzYtp9g516yxtvzcAa+nN2xB3GuVH2a1OXHPVd6Jv/qZ/vN3hl/Pmb41kmFXMgAAAABJRU5ErkJggg==' />";
+
 const char htmlDoctype[] =
 "<!DOCTYPE html><html>";
-const char htmlHeadMain[] =
+const char htmlHeadMeta[] =
 "<meta charset=\"utf-8\">"
 "<meta name=\"viewport\" content=\"width=device-width,initial-scale=1,user-scalable=no\">"
 "<meta name=\"robots\" content=\"none\">";
@@ -136,6 +139,78 @@ int my_strnicmp(char* a, char* b, int len) {
 	return 0;
 }
 
+
+/// @brief Escape special characters in html.
+/// @param in
+/// @param outBuffer 
+/// @param outBufferLength
+/// @param script_safe Pass true, if the content part of script
+void html_escape(char* in, char* outBuffer, int outBufferLength) {
+	int outPos = 0;
+	bool canCopy = true;
+	for (int i = 0; canCopy && (i < strlen(in)); i++) {
+		switch (in[i]) {
+		case '<':
+			if ((outPos + 5) < outBufferLength) {
+				outBuffer[outPos++] = '&';
+				outBuffer[outPos++] = 'l';
+				outBuffer[outPos++] = 't';
+				outBuffer[outPos++] = ';';
+			}
+			else {
+				canCopy = false;
+			}
+			break;
+		case '>':
+			if ((outPos + 5) < outBufferLength) {
+				outBuffer[outPos++] = '&';
+				outBuffer[outPos++] = 'g';
+				outBuffer[outPos++] = 't';
+				outBuffer[outPos++] = ';';
+			}
+			else {
+				canCopy = false;
+			}
+			break;
+		case '&':
+			if ((outPos + 6) < outBufferLength) {
+				outBuffer[outPos++] = '&';
+				outBuffer[outPos++] = 'a';
+				outBuffer[outPos++] = 'm';
+				outBuffer[outPos++] = 'p';
+				outBuffer[outPos++] = ';';
+			}
+			else {
+				canCopy = false;
+			}
+			break;
+		case '"':
+			if ((outPos + 7) < outBufferLength) {
+				outBuffer[outPos++] = '&';
+				outBuffer[outPos++] = 'q';
+				outBuffer[outPos++] = 'u';
+				outBuffer[outPos++] = 'o';
+				outBuffer[outPos++] = 't';
+				outBuffer[outPos++] = ';';
+			}
+			else {
+				canCopy = false;
+			}
+			break;
+		default:
+			if ((outPos + 1) < outBufferLength) {
+				outBuffer[outPos++] = in[i];
+			}
+			else {
+				canCopy = false;
+			}
+			break;
+		}
+	}
+
+	outBuffer[outPos] = 0;
+}
+
 bool http_startsWith(const char* base, const char* substr) {
 	while (*substr != 0) {
 		if (*base != *substr)
@@ -172,17 +247,23 @@ void http_setup(http_request_t* request, const char* type) {
 
 void http_html_start(http_request_t* request, const char* pagename) {
 	poststr(request, htmlDoctype);
-	poststr(request, "<title>");
-	poststr(request, CFG_GetDeviceName()); // todo: check escaping
+	poststr(request, "<head><title>");
+
+	char escapedDeviceName[256];
+	html_escape(CFG_GetDeviceName(), escapedDeviceName, 255);
+	poststr(request, escapedDeviceName);
+
 	if (pagename) {
 		poststr(request, " - ");
 		poststr(request, pagename);
 	}
 	poststr(request, "</title>");
-	poststr(request, htmlHeadMain);
+	poststr(request, htmlShortcutIcon);
+	poststr(request, htmlHeadMeta);
 	poststr(request, htmlHeadStyle);
+	poststr(request, "</head>");
 	poststr(request, htmlBodyStart);
-	poststr(request, CFG_GetDeviceName()); // todo: check escaping
+	poststr(request, escapedDeviceName);
 	poststr(request, htmlBodyStart2);
 }
 
@@ -429,7 +510,7 @@ int hprintf255(http_request_t* request, const char* fmt, ...) {
 	va_list argList;
 	//BaseType_t taken;
 	char tmp[256];
-    memset(tmp, 0, 256);
+	memset(tmp, 0, 256);
 	va_start(argList, fmt);
 	vsnprintf(tmp, 255, fmt, argList);
 	va_end(argList);
@@ -556,7 +637,7 @@ int HTTP_ProcessPacket(http_request_t* request) {
 			int method = callbacks[i]->method;
 			if (method == HTTP_ANY || method == request->method) {
 				return callbacks[i]->callback(request);
-			}
+		}
 		}
 	}
 	if (http_checkUrlBase(urlStr, "")) return http_fn_empty_url(request);
diff --git a/src/httpserver/new_http.h b/src/httpserver/new_http.h
index 8fb81dfff..19c41135d 100644
--- a/src/httpserver/new_http.h
+++ b/src/httpserver/new_http.h
@@ -8,6 +8,10 @@ extern const char httpMimeTypeText[];           // TEXT MIME type
 extern const char httpMimeTypeJson[];
 extern const char httpMimeTypeBinary[];
 
+extern const char htmlShortcutIcon[];
+extern const char htmlDoctype[];
+extern const char htmlHeadMeta[];
+
 extern const char htmlFooterReturnToMenu[];
 extern const char htmlFooterRefreshLink[];
 extern const char htmlFooterReturnToCfgLink[];
@@ -81,4 +85,6 @@ typedef int (*http_callback_fn)(http_request_t* request);
 // urls must be unique (i.e. you can't have /about and /aboutme or /about/me)
 int HTTP_RegisterCallback(const char* url, int method, http_callback_fn callback);
 
+void html_escape(char* in, char* outBuffer, int outBufferLength);
+
 #endif
diff --git a/src/httpserver/rest_interface.c b/src/httpserver/rest_interface.c
index 97d298afb..15bbebb46 100644
--- a/src/httpserver/rest_interface.c
+++ b/src/httpserver/rest_interface.c
@@ -52,7 +52,6 @@ static int http_rest_get_logconfig(http_request_t* request);
 static int http_rest_get_lfs_file(http_request_t* request);
 static int http_rest_post_lfs_file(http_request_t* request);
 #endif
-static int http_favicon(http_request_t* request);
 
 static int http_rest_post_reboot(http_request_t* request);
 static int http_rest_post_flash(http_request_t* request, int startaddr, int maxaddr);
@@ -77,57 +76,8 @@ void init_rest() {
 	HTTP_RegisterCallback("/api/", HTTP_GET, http_rest_get);
 	HTTP_RegisterCallback("/api/", HTTP_POST, http_rest_post);
 	HTTP_RegisterCallback("/app", HTTP_GET, http_rest_app);
-	HTTP_RegisterCallback("/favicon.ico", HTTP_GET, http_favicon);
 }
 
-const char* apppage1 =
-"<!DOCTYPE html>"
-"<html>"
-"    <head>"
-"        <script>"
-"            var root = '";
-#if WINDOWS
-const char* obktype = "windows";
-const char* apppage2 = "';"
-"            var obktype = 'windows';"
-"            var device = 'http://";
-#elif PLATFORM_XR809
-const char* obktype = "XR809";
-const char* apppage2 = "';"
-"            var obktype = 'XR809';"
-"            var device = 'http://";
-#elif PLATFORM_BL602
-const char* obktype = "BL602";
-const char* apppage2 = "';"
-"            var obktype = 'BL602';"
-"            var device = 'http://";
-#elif PLATFORM_W600
-const char* obktype = "W600";
-const char* apppage2 = "';"
-"            var obktype = 'W600';"
-"            var device = 'http://";
-#elif PLATFORM_W800
-const char* obktype = "W800";
-const char* apppage2 = "';"
-"            var obktype = 'W800';"
-"            var device = 'http://";
-#else
-const char* obktype = "beken";
-const char* apppage2 = "';"
-"            var obktype = 'beken';"
-"            var device = 'http://";
-#endif
-
-const char* apppage3 = "';"
-"        </script>"
-"        <script src=\"";
-const char* apppage4 = "startup.js\"></script>"
-"    </head>"
-"<body>"
-"</body>"
-"</html>";
-
-
 /* Extracts string token value into outBuffer (128 char). Returns true if the operation was successful. */
 bool tryGetTokenString(const char* json, jsmntok_t* tok, char* outBuffer) {
 	if (tok == NULL || tok->type != JSMN_STRING) {
@@ -166,20 +116,20 @@ static int http_rest_get(http_request_t* request) {
 
 #ifdef BK_LITTLEFS
 	if (!strcmp(request->url, "api/fsblock")) {
-        uint32_t newsize = CFG_GetLFS_Size();
-        uint32_t newstart = (LFS_BLOCKS_END - newsize);
+		uint32_t newsize = CFG_GetLFS_Size();
+		uint32_t newstart = (LFS_BLOCKS_END - newsize);
 
-        newsize = (newsize/LFS_BLOCK_SIZE)*LFS_BLOCK_SIZE;
+		newsize = (newsize / LFS_BLOCK_SIZE) * LFS_BLOCK_SIZE;
 
-        // double check again that we're within bounds - don't want
-        // boot overwrite or anything nasty....
-        if (newstart < LFS_BLOCKS_START_MIN){
-            return http_rest_error(request, -20, "LFS Size mismatch");
-        }
-        if ((newstart + newsize > LFS_BLOCKS_END) ||
-            (newstart + newsize < LFS_BLOCKS_START_MIN)){
-            return http_rest_error(request, -20, "LFS Size mismatch");
-        }
+		// double check again that we're within bounds - don't want
+		// boot overwrite or anything nasty....
+		if (newstart < LFS_BLOCKS_START_MIN) {
+			return http_rest_error(request, -20, "LFS Size mismatch");
+		}
+		if ((newstart + newsize > LFS_BLOCKS_END) ||
+			(newstart + newsize < LFS_BLOCKS_START_MIN)) {
+			return http_rest_error(request, -20, "LFS Size mismatch");
+		}
 
 		return http_rest_get_flash(request, newstart, newsize);
 	}
@@ -261,20 +211,20 @@ static int http_rest_post(http_request_t* request) {
 		if (lfs_present()) {
 			release_lfs();
 		}
-        uint32_t newsize = CFG_GetLFS_Size();
-        uint32_t newstart = (LFS_BLOCKS_END - newsize);
+		uint32_t newsize = CFG_GetLFS_Size();
+		uint32_t newstart = (LFS_BLOCKS_END - newsize);
 
-        newsize = (newsize/LFS_BLOCK_SIZE)*LFS_BLOCK_SIZE;
+		newsize = (newsize / LFS_BLOCK_SIZE) * LFS_BLOCK_SIZE;
 
-        // double check again that we're within bounds - don't want
-        // boot overwrite or anything nasty....
-        if (newstart < LFS_BLOCKS_START_MIN){
-            return http_rest_error(request, -20, "LFS Size mismatch");
-        }
-        if ((newstart + newsize > LFS_BLOCKS_END) ||
-            (newstart + newsize < LFS_BLOCKS_START_MIN)){
-            return http_rest_error(request, -20, "LFS Size mismatch");
-        }
+		// double check again that we're within bounds - don't want
+		// boot overwrite or anything nasty....
+		if (newstart < LFS_BLOCKS_START_MIN) {
+			return http_rest_error(request, -20, "LFS Size mismatch");
+		}
+		if ((newstart + newsize > LFS_BLOCKS_END) ||
+			(newstart + newsize < LFS_BLOCKS_START_MIN)) {
+			return http_rest_error(request, -20, "LFS Size mismatch");
+		}
 
 		// we are writing the lfs block
 		int res = http_rest_post_flash(request, newstart, LFS_BLOCKS_END);
@@ -308,13 +258,17 @@ static int http_rest_app(http_request_t* request) {
 	const char* ourip = HAL_GetMyIPString(); //CFG_GetOurIP();
 	http_setup(request, httpMimeTypeHTML);
 	if (webhost && ourip) {
-		poststr(request, apppage1);
-		poststr(request, webhost);
-		poststr(request, apppage2);
-		poststr(request, ourip);
-		poststr(request, apppage3);
-		poststr(request, webhost);
-		poststr(request, apppage4);
+		poststr(request, htmlDoctype);
+
+		char escapedDeviceName[256];
+		html_escape(CFG_GetDeviceName(), escapedDeviceName, 255);
+		hprintf255(request, "<head><title>%s</title>", escapedDeviceName);
+
+		poststr(request, htmlShortcutIcon);
+		poststr(request, htmlHeadMeta);
+		hprintf255(request, "<script>var root='%s',device='http://%s';</script>", webhost, ourip);
+		hprintf255(request, "<script src='%s/startup.js'></script>", webhost);
+		poststr(request, "</head><body></body></html>");
 	}
 	else {
 		http_html_start(request, "Not available");
@@ -567,18 +521,18 @@ exit:
 	return 0;
 }
 
-static int http_favicon(http_request_t* request) {
-	request->url = "api/lfs/favicon.ico";
-	return http_rest_get_lfs_file(request);
-}
+// static int http_favicon(http_request_t* request) {
+// 	request->url = "api/lfs/favicon.ico";
+// 	return http_rest_get_lfs_file(request);
+// }
 
 #else
-static int http_favicon(http_request_t* request) {
-	request->responseCode = HTTP_RESPONSE_NOT_FOUND;
-	http_setup(request, httpMimeTypeHTML);
-	poststr(request, NULL);
-	return 0;
-}
+// static int http_favicon(http_request_t* request) {
+// 	request->responseCode = HTTP_RESPONSE_NOT_FOUND;
+// 	http_setup(request, httpMimeTypeHTML);
+// 	poststr(request, NULL);
+// 	return 0;
+// }
 #endif
 
 
@@ -748,7 +702,6 @@ static int http_rest_get_info(http_request_t* request) {
 	http_setup(request, httpMimeTypeJson);
 	hprintf255(request, "{\"uptime_s\":%d,", Time_getUpTimeSeconds());
 	hprintf255(request, "\"build\":\"%s\",", g_build_str);
-	hprintf255(request, "\"sys\":\"%s\",", obktype);
 	hprintf255(request, "\"ip\":\"%s\",", HAL_GetMyIPString());
 	hprintf255(request, "\"mac\":\"%s\",", HAL_GetMACStr(macstr));
 	hprintf255(request, "\"mqtthost\":\"%s:%d\",", CFG_GetMQTTHost(), CFG_GetMQTTPort());