Merge pull request #1157 from colincross/browse

Escape ninja output inserted into HTML
author: Nico Weber <nicolasweber@gmx.de> 2016-05-30 21:07:33 (GMT)
committer: Nico Weber <nicolasweber@gmx.de> 2016-05-30 21:07:33 (GMT)
commit: 8d65002fd5e6f2102447ab15f636cc84db3384ec (patch)
tree: 414d203ffe35fb8e0cf95c1e7169b5882e96e751 /src
parent: 680efe41f1111fb0ab0c593e15733aa71909637d (diff)
parent: 8aeb91ebb12057b34b60084311ef4c790311559f (diff)
download: Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.zip
Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.tar.gz
Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.tar.bz2
1 files changed, 10 insertions, 6 deletions
diff --git a/src/browse.py b/src/browse.py
index 32792f3..4b4faa8 100755
--- a/src/browse.py
+++ b/src/browse.py
@@ -27,6 +27,7 @@ try:
 except ImportError:
     import BaseHTTPServer as httpserver
 import argparse
+import cgi
 import os
 import socket
 import subprocess
@@ -58,6 +59,9 @@ def match_strip(line, prefix):
         return (False, line)
     return (True, line[len(prefix):])
 
+def html_escape(text):
+    return cgi.escape(text, quote=True)
+
 def parse(text):
     lines = iter(text.split('\n'))
 
@@ -124,19 +128,19 @@ tt {
 ''' + body
 
 def generate_html(node):
-    document = ['<h1><tt>%s</tt></h1>' % node.target]
+    document = ['<h1><tt>%s</tt></h1>' % html_escape(node.target)]
 
     if node.inputs:
         document.append('<h2>target is built using rule <tt>%s</tt> of</h2>' %
-                        node.rule)
+                        html_escape(node.rule))
         if len(node.inputs) > 0:
             document.append('<div class=filelist>')
             for input, type in sorted(node.inputs):
                 extra = ''
                 if type:
-                    extra = ' (%s)' % type
+                    extra = ' (%s)' % html_escape(type)
                 document.append('<tt><a href="?%s">%s</a>%s</tt><br>' %
-                                (input, input, extra))
+                                (html_escape(input), html_escape(input), extra))
             document.append('</div>')
 
     if node.outputs:
@@ -144,7 +148,7 @@ def generate_html(node):
         document.append('<div class=filelist>')
         for output in sorted(node.outputs):
             document.append('<tt><a href="?%s">%s</a></tt><br>' %
-                            (output, output))
+                            (html_escape(output), html_escape(output)))
         document.append('</div>')
 
     return '\n'.join(document)
@@ -177,7 +181,7 @@ class RequestHandler(httpserver.BaseHTTPRequestHandler):
             page_body = generate_html(parse(ninja_output.strip()))
         else:
             # Relay ninja's error message.
-            page_body = '<h1><tt>%s</tt></h1>' % ninja_error
+            page_body = '<h1><tt>%s</tt></h1>' % html_escape(ninja_error)
 
         self.send_response(200)
         self.end_headers()
author	Nico Weber <nicolasweber@gmx.de>	2016-05-30 21:07:33 (GMT)
committer	Nico Weber <nicolasweber@gmx.de>	2016-05-30 21:07:33 (GMT)
commit	8d65002fd5e6f2102447ab15f636cc84db3384ec (patch)
tree	414d203ffe35fb8e0cf95c1e7169b5882e96e751 /src
parent	680efe41f1111fb0ab0c593e15733aa71909637d (diff)
parent	8aeb91ebb12057b34b60084311ef4c790311559f (diff)
download	Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.zip Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.tar.gz Ninja-8d65002fd5e6f2102447ab15f636cc84db3384ec.tar.bz2