pidgin: f198f700: Escape all the values when appending the...
darkrain42 at pidgin.im
darkrain42 at pidgin.im
Fri May 1 22:40:34 EDT 2009
-----------------------------------------------------------------
Revision: f198f700ad677f93033f49cfcf5447262440f517
Ancestor: fc9116694d915c50975b662e75e3275ce3e9f479
Author: darkrain42 at pidgin.im
Date: 2009-05-02T01:26:18
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/f198f700ad677f93033f49cfcf5447262440f517
Modified files:
ChangeLog.API libpurple/protocols/jabber/caps.c
libpurple/util.c libpurple/util.h
ChangeLog:
Escape all the values when appending them to the Entity Caps verification str.
xmlnode_get_attrib and xmlnode_get_data unescape what they return. Thanks to
Tobias and Waqas. This will still fail to validate if the other side uses
entity codes (or uses other entities unnecessarily), but that should be dealt
with as a hash failure instead of a collision.
(10:12:11) Tobias: [18:48:43] <waqas> <identity category='client' type='pc' name='SomeClient'/><feature var='http://jabber.org/protocol/muc'/> turns into 'client/pc//SomeClient<http://jabber.org/protocol/caps<'
but so does <identity category='client' type='pc' name='SomeClient<http://jabber.org/protocol/caps'/>, which is a collision, right?
-------------- next part --------------
============================================================
--- ChangeLog.API 0a1a50aa1da396c399fbfbae4975fe844c28dcb2
+++ ChangeLog.API 8500d25dcf04dcd4f303130fbb8c12d12fd93a2c
@@ -27,6 +27,7 @@ version 2.6.0 (??/??/2009):
* purple_connection_set_protocol_data
* purple_contact_destroy
* purple_conv_chat_invite_user
+ * purple_escape_html
* purple_global_proxy_set_info
* purple_group_destroy
* purple_log_get_activity_score
============================================================
--- libpurple/protocols/jabber/caps.c f2b7696da9992a5cea44572ae7c3872482071306
+++ libpurple/protocols/jabber/caps.c 2eb73ce832095620cb4719448c50afb2ccdb7f69
@@ -286,10 +286,10 @@ jabber_caps_load(void)
id->type = g_strdup(type);
id->name = g_strdup(name);
id->lang = g_strdup(lang);
-
+
value->identities = g_list_append(value->identities,id);
} else if(!strcmp(child->name,"x")) {
- /* FIXME: See #7814 -- this will cause problems if anyone
+ /* TODO: See #7814 -- this might cause problems if anyone
* ever actually specifies forms. In fact, for this to
* work properly, that bug needs to be fixed in
* xmlnode_from_str, not the output version... */
@@ -794,9 +794,11 @@ static GString*
}
static GString*
-jabber_caps_verification_append(GString *verification, const gchar *string)
+jabber_caps_verification_append(GString *verification, const gchar *str)
{
- verification = g_string_append(verification, string);
+ char *tmp = purple_escape_html(str);
+ verification = g_string_append(verification, tmp);
+ g_free(tmp);
return g_string_append_c(verification, '<');
}
@@ -822,9 +824,18 @@ gchar *jabber_caps_calculate_hash(Jabber
/* concat identities to the verification string */
for (node = info->identities; node; node = node->next) {
JabberIdentity *id = (JabberIdentity*)node->data;
+ char *category = purple_escape_html(id->category);
+ char *type = purple_escape_html(id->type);
+ char *lang = purple_escape_html(id->lang);
+ char *name = purple_escape_html(id->name);
- g_string_append_printf(verification, "%s/%s/%s/%s<", id->category,
- id->type, id->lang ? id->lang : "", id->name);
+ g_string_append_printf(verification, "%s/%s/%s/%s<", category,
+ type, lang ? lang : "", name ? name : "");
+
+ g_free(category);
+ g_free(type);
+ g_free(lang);
+ g_free(name);
}
/* concat features to the verification string */
============================================================
--- libpurple/util.c 8c4e4787d5558dbb66ce2d53c3d42c468b95e4bf
+++ libpurple/util.c 6e96cb4d7f7b75bb49eca80bd464d7a8b18d6ff5
@@ -2357,6 +2357,39 @@ char *
}
char *
+purple_escape_html(const char *str)
+{
+ GString *ret;
+ const char *in = str;
+
+ if (str == NULL)
+ return NULL;
+
+ ret = g_string_sized_new(strlen(str));
+ for ( ; *in; ++in) {
+ switch (*in) {
+ case '&':
+ ret = g_string_append_len(ret, "&", 5);
+ break;
+ case '"':
+ ret = g_string_append_len(ret, """, 6);
+ break;
+ case '<':
+ ret = g_string_append_len(ret, "<", 4);
+ break;
+ case '>':
+ ret = g_string_append_len(ret, ">", 4);
+ break;
+ default:
+ ret = g_string_append_c(ret, *in);
+ break;
+ }
+ }
+
+ return g_string_free(ret, FALSE);
+}
+
+char *
purple_unescape_html(const char *html) {
if (html != NULL) {
const char *c = html;
============================================================
--- libpurple/util.h 6c69049f77be8fb8aa227211e46dd9caa266bcec
+++ libpurple/util.h 0db8286e30271b331fc4afa0bed5f00f0e03a7c4
@@ -496,7 +496,23 @@ char *purple_markup_linkify(const char *
char *purple_markup_linkify(const char *str);
/**
- * Unescapes HTML entities to their literal characters.
+ * Escape special HTML characters to their HTML entities.
+ * This is almost the reverse of purple_unescape_html except that
+ * this does not translate "\n" into "<br>".
+ *
+ * @param str The string in which to escape special characters.
+ *
+ * @return The text with the special characters escaped. You must
+ * g_free this string when finished with it.
+ *
+ * @see purple_unescape_html
+ * @since 2.6.0
+ */
+char *purple_escape_html(const char *str);
+
+/**
+ * Unescapes HTML entities to their literal characters. Also translates
+ * "<br>" to "\n".
* For example "&" is replaced by '&' and so on.
* Actually only "&", """, "<" and ">" are currently
* supported.
@@ -505,6 +521,8 @@ char *purple_markup_linkify(const char *
*
* @return The text with HTML entities literalized. You must g_free
* this string when finished with it.
+ *
+ * @see purple_escape_html
*/
char *purple_unescape_html(const char *html);
More information about the Commits
mailing list