From 8aeb91ebb12057b34b60084311ef4c790311559f Mon Sep 17 00:00:00 2001
From: Colin Cross <ccross@android.com>
Date: Fri, 20 May 2016 15:24:56 -0700
Subject: Escape ninja output inserted into HTML

Ninja query or error output may contain characters that need to be
escaped when being inserted into HTML.  Replace &, ", <, and > with
their & equivalent.
---
 src/browse.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/browse.py b/src/browse.py
index 32792f3..4b4faa8 100755
--- a/src/browse.py
+++ b/src/browse.py
@@ -27,6 +27,7 @@ try:
 except ImportError:
     import BaseHTTPServer as httpserver
 import argparse
+import cgi
 import os
 import socket
 import subprocess
@@ -58,6 +59,9 @@ def match_strip(line, prefix):
         return (False, line)
     return (True, line[len(prefix):])
 
+def html_escape(text):
+    return cgi.escape(text, quote=True)
+
 def parse(text):
     lines = iter(text.split('\n'))
 
@@ -124,19 +128,19 @@ tt {
 ''' + body
 
 def generate_html(node):
-    document = ['<h1><tt>%s</tt></h1>' % node.target]
+    document = ['<h1><tt>%s</tt></h1>' % html_escape(node.target)]
 
     if node.inputs:
         document.append('<h2>target is built using rule <tt>%s</tt> of</h2>' %
-                        node.rule)
+                        html_escape(node.rule))
         if len(node.inputs) > 0:
             document.append('<div class=filelist>')
             for input, type in sorted(node.inputs):
                 extra = ''
                 if type:
-                    extra = ' (%s)' % type
+                    extra = ' (%s)' % html_escape(type)
                 document.append('<tt><a href="?%s">%s</a>%s</tt><br>' %
-                                (input, input, extra))
+                                (html_escape(input), html_escape(input), extra))
             document.append('</div>')
 
     if node.outputs:
@@ -144,7 +148,7 @@ def generate_html(node):
         document.append('<div class=filelist>')
         for output in sorted(node.outputs):
             document.append('<tt><a href="?%s">%s</a></tt><br>' %
-                            (output, output))
+                            (html_escape(output), html_escape(output)))
         document.append('</div>')
 
     return '\n'.join(document)
@@ -177,7 +181,7 @@ class RequestHandler(httpserver.BaseHTTPRequestHandler):
             page_body = generate_html(parse(ninja_output.strip()))
         else:
             # Relay ninja's error message.
-            page_body = '<h1><tt>%s</tt></h1>' % ninja_error
+            page_body = '<h1><tt>%s</tt></h1>' % html_escape(ninja_error)
 
         self.send_response(200)
         self.end_headers()
-- 
cgit v0.12