Do a more thorough html escaping in cache names and user nicks

2020-01-28 06:13:11 +01:00 · 2020-01-28 06:13:11 +01:00 · 59a5b4423d
commit 59a5b4423d
--- a/cache.cpp
+++ b/cache.cpp
@ -1,4 +1,5 @@
 #include "cache.h"
+#include "common.h"

 #include <cmath>
 #include <ctime>
@ -18,6 +19,12 @@ std::string Cache::link() const {
 	return "http://coord.eu/" + code;
 }

+std::string Cache::safe_name() const {
+	std::string tmp = name;
+	htmlencode(tmp);
+	return tmp;
+}
+
 float Cache::distance() const {
 	return 2 * Earth_radius * asin(sqrt(pow(sin(degtorad((pos.lat - home.lat) / 2)), 2) + cos(degtorad(pos.lat)) * cos(degtorad(home.lat)) * pow(sin(degtorad((pos.lon - home.lon) / 2)), 2)));
 }
--- a/cache.h
+++ b/cache.h
@ -75,6 +75,7 @@ public:

 	void show() const;
 	std::string link() const;
+	std::string safe_name() const;
 	float distance() const;
 };

--- a/common.cpp
+++ b/common.cpp
@ -5,6 +5,36 @@

 const int HIST_MAX = 20;

+void htmlencode(std::string& data) {
+    std::string tmp;
+    tmp.reserve(data.size()+20);
+
+    for(size_t i = 0; i != data.size(); i++) {
+        switch(data[i]) {
+            case '&':
+				tmp += "&amp;";
+				break;
+            case '\"':
+				tmp += "&quot;";
+				break;
+            case '\'':
+				tmp += "&apos;";
+				break;
+            case '<':
+				tmp += "&lt;";
+				break;
+            case '>':
+				tmp += "&gt;";
+				break;
+            default:
+				tmp += data[i];
+				break;
+        }
+    }
+
+    data.swap(tmp);
+}
+
 void show_histogram(const Caches& cc, std::string Cache::*ptr, std::string caption, bool html, bool sort_by_val) {
 	std::map<std::string, int> histogram;
 	std::vector<std::pair<std::string, int>> pairs;
@ -25,13 +55,11 @@ void show_histogram(const Caches& cc, std::string Cache::*ptr, std::string capti
 		else
 			max = std::max_element(pairs.begin(), pairs.end(), [&](std::pair<std::string, int>& a, std::pair<std::string, int>& b) { return a.second < b.second; })->second;
 		int i = 0;
-		std::string::size_type n;
 		std::cout << "<h2>" << caption << "</h2>\n";
 		std::cout << "<dl class=\"histogram\">\n";
 		for (auto own : pairs) {
+			htmlencode(own.first);
 			if (own.first.empty()) own.first = "[unknown]";
-			while ((n = own.first.find('&', n + 1)) != std::string::npos)
-				own.first.replace(n, 1, "&amp;");

 			if (i < HIST_MAX)
 				std::cout << "<dd class=\"bar\" style=\"--percent: " << 100 * own.second / max << "%;\"><span class=\"text\">" << own.first << ": " << own.second << "</span></dd>\n";
--- a/common.h
+++ b/common.h
@ -2,6 +2,8 @@

 #include "cache.h"

+void htmlencode(std::string& data);
+
 void show_histogram(const Caches& cc, std::string Cache::*ptr, std::string caption, bool html = 0, bool sort_by_val = 1);

 int find_streak(const std::multimap<std::time_t, const Cache*>& cc, std::tm& start);
--- a/geostat.cpp
+++ b/geostat.cpp
@ -326,13 +326,13 @@ int main(int argc, char** argv) {
 		std::cout << "<h2>Geographically extreme caches</h2>\n";
 		std::cout << "<table class=\"list\">\n";
 		std::cout << "<tr>\n";
-		std::cout << "  <td class=\"list_head\">North:</td><td><a href=\"" << N->link() << "\">" << N->name << " (" << N->code << ")</a></td><td>" << N->pos.lat << "</td>\n";
+		std::cout << "  <td class=\"list_head\">North:</td><td><a href=\"" << N->link() << "\">" << N->safe_name() << " (" << N->code << ")</a></td><td>" << N->pos.lat << "</td>\n";
 		std::cout << "</tr><tr>\n";
-		std::cout << "  <td class=\"list_head\">South:</td><td><a href=\"" << S->link() << "\">" << S->name << " (" << S->code << ")</a></td><td>" << S->pos.lat << "</td>\n";
+		std::cout << "  <td class=\"list_head\">South:</td><td><a href=\"" << S->link() << "\">" << S->safe_name() << " (" << S->code << ")</a></td><td>" << S->pos.lat << "</td>\n";
 		std::cout << "</tr><tr>\n";
-		std::cout << "  <td class=\"list_head\">East:</td> <td><a href=\"" << E->link() << "\">" << E->name << " (" << E->code << ")</a></td><td>" << E->pos.lon << "</td>\n";
+		std::cout << "  <td class=\"list_head\">East:</td> <td><a href=\"" << E->link() << "\">" << E->safe_name() << " (" << E->code << ")</a></td><td>" << E->pos.lon << "</td>\n";
 		std::cout << "</tr><tr>\n";
-		std::cout << "  <td class=\"list_head\">West:</td> <td><a href=\"" << W->link() << "\">" << W->name << " (" << W->code << ")</a></td><td>" << W->pos.lon << "</td>\n";
+		std::cout << "  <td class=\"list_head\">West:</td> <td><a href=\"" << W->link() << "\">" << W->safe_name() << " (" << W->code << ")</a></td><td>" << W->pos.lon << "</td>\n";
 		std::cout << "</tr>\n";
 		std::cout << "</table>\n";

@ -426,7 +426,7 @@ int main(int argc, char** argv) {

 		for (auto i = sorted_caches_by_hidden.begin(); i != sorted_caches_by_hidden.end(); i++) {
 			std::cout << "<tr><td class=\"list_head\">" << n << "</td> ";
-			std::cout << "<td>" << "<a href=\"" << i->second->link() << "\">" << i->second->name << " (" << i->second->code << ")</a>" << "</td>";
+			std::cout << "<td>" << "<a href=\"" << i->second->link() << "\">" << i->second->safe_name() << " (" << i->second->code << ")</a>" << "</td>";
 			std::cout << "<td>" << i->second->date_hidden << "</td>";
 			std::cout << "<td>" << i->second->date << "</td>";
 			std::cout << "</tr>\n";
@ -447,7 +447,7 @@ int main(int argc, char** argv) {

 		for (auto i = sorted_caches_by_hidden.rbegin(); i != sorted_caches_by_hidden.rend(); i++) {
 			std::cout << "<tr><td class=\"list_head\">" << n << "</td> ";
-			std::cout << "<td>" << "<a href=\"" << i->second->link() << "\">" << i->second->name << " (" << i->second->code << ")</a>" << "</td>";
+			std::cout << "<td>" << "<a href=\"" << i->second->link() << "\">" << i->second->safe_name() << " (" << i->second->code << ")</a>" << "</td>";
 			std::cout << "<td>" << i->second->date_hidden << "</td>";
 			std::cout << "<td>" << i->second->date << "</td>";
 			std::cout << "</tr>\n";
@ -469,7 +469,7 @@ int main(int argc, char** argv) {

 		for (auto i : caches_by_fav) {
 			std::cout << "<tr><td class=\"list_head\">" << n << "</td> ";
-			std::cout << "<td>" << "<a href=\"" << i->link() << "\">" << i->name << " (" << i->code << ")</a>" << "</td>";
+			std::cout << "<td>" << "<a href=\"" << i->link() << "\">" << i->safe_name() << " (" << i->code << ")</a>" << "</td>";
 			std::cout << "<td>" << i->fav << "</td>";
 			std::cout << "<td>" << i->founds << "</td>";
 			std::cout << "<td>" << std::setprecision(3) << 100.0 * i->fav / i->founds << "%</td>";
@ -492,7 +492,7 @@ int main(int argc, char** argv) {

 		for (auto i : caches_by_fav_perc) {
 			std::cout << "<tr><td class=\"list_head\">" << n << "</td> ";
-			std::cout << "<td>" << "<a href=\"" << i->link() << "\">" << i->name << " (" << i->code << ")</a>" << "</td>";
+			std::cout << "<td>" << "<a href=\"" << i->link() << "\">" << i->safe_name() << " (" << i->code << ")</a>" << "</td>";
 			std::cout << "<td>" << i->fav << "</td>";
 			std::cout << "<td>" << i->founds << "</td>";
 			std::cout << "<td>" << std::setprecision(3) << 100.0 * i->fav / i->founds << "%</td>";
--- a/meson.build
+++ b/meson.build
@ -17,7 +17,7 @@ endif
 link = ['-lgpx', '-lheatmap']
 src = ['geostat.cpp', 'okapi.cpp', 'gpx.cpp', 'cache.cpp', 'debug.cpp', 'heat.cpp', 'ocdb.cpp', 'common.cpp']
 src_cli = ['geostat_cli.cpp', 'okapi.cpp', 'gpx.cpp', 'cache.cpp', 'debug.cpp', 'heat.cpp', 'ocdb.cpp', 'common.cpp']
-src_db = ['geodb.cpp', 'debug.cpp', 'ocdb.cpp', 'okapi.cpp', 'cache.cpp']
+src_db = ['geodb.cpp', 'debug.cpp', 'ocdb.cpp', 'okapi.cpp', 'cache.cpp', 'common.cpp']

 executable('geostat', src, dependencies : [curl_dep, json_dep, magick_dep, sqlite_dep], link_args: link, install: true)
 executable('geostat_cli', src_cli, dependencies : [curl_dep, json_dep, magick_dep, sqlite_dep], link_args: link, install: true)