Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix HTML generation

Browse Source 
This PR fixes two issues related to the generation of HTML files.

First, text that is to appear in the HTML file is first passed through html_reserved() to replace reserved characters with their corresponding entity names (e.g., '>' becomes '>'). html_reserved() seems to work correctly on Ubuntu Linux, but it does not work as expected on MacOS. On MacOS, rather than converting '>' to '>', it gets converted to '\>', and the backslash is rendered by browsers.

This PR appears to fix the problem. However, given that the original version of html_reserved() was not portable, this revised version should be tested on multiple platforms.

I also noticed that in almost every case in which a string is passed to html_out(), it is first run through html_reserved(), but for some reason that is not the case in out() and outln(). I can't see any reason why html_reserved() is not called first in these two cases, so this PR adds in the calls.
This commit is contained in:
David Cooper 2020-01-30 13:32:45 -05:00
parent e0c83b2a38
commit b92f0de2c9
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
testssl.sh
View File

@ -490,11 +490,11 @@ html_reserved(){
local output
"$do_html" || return 0
#sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1"
output="${1//\&/\&amp;}"
output="${output//</\&lt;}"
output="${output//>/\&gt;}"
output="${output//\"/\&quot;}"
output="${output//\'/\&apos;}"
output="${1//&/&amp;}"
output="${output//</&lt;}"
output="${output//>/&gt;}"
output="${output//\"/&quot;}"
output="${output//\'/&apos;}"
tm_out "$output"
return 0
}
@ -510,8 +510,8 @@ safe_echo() { printf -- "%b" "${1//%/%%}"; }
tm_out() { printf -- "%b" "${1//%/%%}"; }
tmln_out() { printf -- "%b" "${1//%/%%}\n"; }
out() { printf -- "%b" "${1//%/%%}"; html_out "$1"; }
outln() { printf -- "%b" "${1//%/%%}\n"; html_out "$1\n"; }
out() { printf -- "%b" "${1//%/%%}"; html_out "$(html_reserved "$1")"; }
outln() { printf -- "%b" "${1//%/%%}\n"; html_out "$(html_reserved "$1")\n"; }
#TODO: Still no shell injection safe but if just run it from the cmd line: that's fine