Also filter single quotes and / in html_entities() to prevent XSS attack in normal...

author Thomas Jarosch <thomas.jarosch@intra2net.com>

Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)

committer Thomas Jarosch <thomas.jarosch@intra2net.com>

Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)
author Thomas Jarosch <thomas.jarosch@intra2net.com>
Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)
committer Thomas Jarosch <thomas.jarosch@intra2net.com>
Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)
diff --git a/src/stringfunc.cpp b/src/stringfunc.cpp

index 1fe636a..16cd6bd 100644 (file)
--- a/src/stringfunc.cpp
+++ b/src/stringfunc.cpp
@@ -781,9 +781,11 @@ string html_entities(std::string str)
 {
    // Normal chars
    replace_all (str, "&", "&amp;");
-   replace_all (str, "\"", "&quot;");
    replace_all (str, "<", "&lt;");
    replace_all (str, ">", "&gt;");
+   replace_all (str, "\"", "&quot;");
+   replace_all (str, "'", "&#x27;");
+   replace_all (str, "/", "&#x2F;");
 
    // Umlauts
    replace_all (str, "\xC3\xA4", "&auml;");
author	Thomas Jarosch <thomas.jarosch@intra2net.com>
	Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)
committer	Thomas Jarosch <thomas.jarosch@intra2net.com>
	Thu, 15 Jul 2010 09:43:07 +0000 (11:43 +0200)