fc290bc3a314d67cc1d9b354c2a670142b386536 galt Mon Oct 10 13:23:12 2016 -0700 Cleaning out old stuff. In the past TimD had tried to encode newlines in htmlEncode. He was really trying to encode them in html attributes, especially the TITLE attribute in hgTracks/imageV2.c. Since we now have a proper attribute encoder that works for all characters, and it works with modern Firefox, the special handling is no longer needed. diff --git src/lib/htmshell.c src/lib/htmshell.c index 56e645d..c1fc4ae 100644 --- src/lib/htmshell.c +++ src/lib/htmshell.c @@ -208,75 +208,54 @@ *to = '\0'; return scrubbed; } char *htmlWarnEncode(char *s) /* Returns a cloned string with newlines replaced by BR tag. Meant to be displayed with warn popup box. */ { int size = strlen(s); size += countChars(s,'\n') * 4; char *cleanQuote = needMem(size+1); safecpy(cleanQuote,size+1,s); strSwapStrs(cleanQuote, size,"\n","<BR>" ); // use BR tag for new lines -// No Longer necessary. They mess up textareas which have CR LF when posted. -// I am commenting them out now 2016-10-01. TODO REMOVE if not needed. -//if (cgiClientBrowser(NULL,NULL,NULL) == btFF) // Firefox -// strSwapStrs(cleanQuote, size, "|", "<BR>"); // replace with BR tag -//else -// strSwapStrs(cleanQuote, size, "
", "<BR>"); // replace with BR tag return cleanQuote; } int htmlEncodeTextExtended(char *s, char *out, int outSize) /* Replaces required punctuation characters with html entities to fight XSS. * out result must be large enough to receive the encoded string. * Returns size of encoded string or -1 if output larger than outSize. * To just get the final encoded size, pass in NULL for out and 0 for outSize. * To output without checking sizes, pass in non-NULL for out and 0 for outSize. */ { -// No Longer necessary. They mess up textareas which have CR LF when posted. -// I am commenting them out now 2016-10-01. TODO REMOVE if not needed. -//boolean FF = FALSE; -//if (cgiClientBrowser(NULL,NULL,NULL) == btFF) -// FF = TRUE; int total = 0; char c = 0; do { c=*s++; int size = 1; char *newString = NULL; if (c == '&') { size = 5; newString = "&"; } // '&' start a control char if (c == '>') { size = 4; newString = ">" ; } // '>' close of tag if (c == '<') { size = 4; newString = "<" ; } // '<' open of tag - // No Longer necessary. They mess up textareas which have CR LF when posted. - // I am commenting them out now 2016-10-01. TODO REMOVE if not needed. - //if (c == '\n') - //{ - //size = 6; - //if (FF) - //newString = "|"; // FF does not support! Use "|" for '|' instead - //else - //newString = "
"; // '\n' is supported on some browsers - //} if (c == '/') { size = 6; newString = "/"; } // forward slash helps end an HTML entity if (c == '"') { size = 6; newString = """; } // double quote if (c == '\'') { size = 5; newString = "'" ; } // single quote if (out) { if (outSize > 0 && (total+size+1) > outSize) // 1 for terminator { *out = 0; return -1; } if (size == 1) *out++ = c; else { strncpy(out, newString, size);