From 8aeb91ebb12057b34b60084311ef4c790311559f Mon Sep 17 00:00:00 2001 From: Colin Cross Date: Fri, 20 May 2016 15:24:56 -0700 Subject: Escape ninja output inserted into HTML Ninja query or error output may contain characters that need to be escaped when being inserted into HTML. Replace &, ", <, and > with their & equivalent. --- src/browse.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/browse.py b/src/browse.py index 32792f3..4b4faa8 100755 --- a/src/browse.py +++ b/src/browse.py @@ -27,6 +27,7 @@ try: except ImportError: import BaseHTTPServer as httpserver import argparse +import cgi import os import socket import subprocess @@ -58,6 +59,9 @@ def match_strip(line, prefix): return (False, line) return (True, line[len(prefix):]) +def html_escape(text): + return cgi.escape(text, quote=True) + def parse(text): lines = iter(text.split('\n')) @@ -124,19 +128,19 @@ tt { ''' + body def generate_html(node): - document = ['

%s

' % node.target] + document = ['

%s

' % html_escape(node.target)] if node.inputs: document.append('

target is built using rule %s of

' % - node.rule) + html_escape(node.rule)) if len(node.inputs) > 0: document.append('
') for input, type in sorted(node.inputs): extra = '' if type: - extra = ' (%s)' % type + extra = ' (%s)' % html_escape(type) document.append('%s%s
' % - (input, input, extra)) + (html_escape(input), html_escape(input), extra)) document.append('
') if node.outputs: @@ -144,7 +148,7 @@ def generate_html(node): document.append('
') for output in sorted(node.outputs): document.append('%s
' % - (output, output)) + (html_escape(output), html_escape(output))) document.append('
') return '\n'.join(document) @@ -177,7 +181,7 @@ class RequestHandler(httpserver.BaseHTTPRequestHandler): page_body = generate_html(parse(ninja_output.strip())) else: # Relay ninja's error message. - page_body = '

%s

' % ninja_error + page_body = '

%s

' % html_escape(ninja_error) self.send_response(200) self.end_headers() -- cgit v0.12