54413ab8e05496303b70ee4349b4e5ada1802147
max
  Wed Feb 4 03:40:06 2026 -0800
adding XSS security fix to hub error printf, refs #36916

diff --git src/lib/common.c src/lib/common.c
index 756bf50236b..3e7a8ea9cfd 100644
--- src/lib/common.c
+++ src/lib/common.c
@@ -1734,43 +1734,54 @@
 
 char *strUpper(char *s)
 /* Convert entire string to upper case. */
 {
 char c;
 char *ss=s;
 for (;;)
     {
     if ((c = *ss) == 0) break;
     *ss++ = toupper(c);
     }
 return s;
 }
 
 void replaceChar(char *s, char oldc, char newc)
-/* Repace one char with another. Modifies original string. */
+/* Replace one char with another. Modifies original string. */
 {
 if (!s)
     return;
 char c;
 while((c=*s))
     {
     if (c == oldc)
        *s = newc;	
     ++s;
     }
 }
 
+char *stripHtml(char *s) 
+    /* replace < and > with [ and ]. Whenever we
+     * print a string that we get from the internet, e.g. through HTTP headers,
+     * in a hub.txt file or via a HTTP GET or POST argument, we need to strip
+     * tags. */
+{
+replaceChar(s, '<', '[');
+replaceChar(s, '>', ']');
+return s;
+}
+
 char *replaceChars(char *string, char *old, char *new)
 /*
   Replaces the old with the new. The old and new string need not be of equal size
  Can take any length string.
  Return value needs to be freeMem'd.
 */
 {
 int numTimes = 0;
 int oldLen = strlen(old);
 int newLen = strlen(new);
 int strLen = 0;
 char *result = NULL;
 char *ptr = strstr(string, old);
 char *resultPtr = NULL;