diff --git a/testssl.sh b/testssl.sh index 27c4a40..4b8c463 100755 --- a/testssl.sh +++ b/testssl.sh @@ -490,12 +490,12 @@ html_reserved(){ local output "$do_html" || return 0 #sed -e 's/\&/\&/g' -e 's//\>/g' -e 's/"/\"/g' -e "s/'/\'/g" <<< "$1" - output="${1//\&/\&}" - output="${output///\>}" - output="${output//\"/\"}" - output="${output//\'/\'}" - tm_out "$output" + output="${1//&/&}" + output="${output///>}" + output="${output//\"/"}" + output="${output//\'/'}" + printf -- "%s" "$output" return 0 } @@ -510,8 +510,8 @@ safe_echo() { printf -- "%b" "${1//%/%%}"; } tm_out() { printf -- "%b" "${1//%/%%}"; } tmln_out() { printf -- "%b" "${1//%/%%}\n"; } -out() { printf -- "%b" "${1//%/%%}"; html_out "$1"; } -outln() { printf -- "%b" "${1//%/%%}\n"; html_out "$1\n"; } +out() { printf -- "%b" "${1//%/%%}"; html_out "$(html_reserved "$1")"; } +outln() { printf -- "%b" "${1//%/%%}\n"; html_out "$(html_reserved "$1")\n"; } #TODO: Still no shell injection safe but if just run it from the cmd line: that's fine