Variables encoded twice
Bernd Arnold
bernd_a at gmx.de
Tue Aug 5 21:30:31 CEST 2008
> > So try
> > printf("<input type='hidden' name='host'
> > value='%s'>\n",html_encode(host_name,FALSE));
>
> But this works only if you enable escape_html_tags in cgi.cfg.
>
> New idea: I added a function escape_string() to clean all user supplied
> strings that get printed into html form values. Works for the above test
> cases independent of escape_html_tags. A updated patch is attached.
>
Hi Armin,
I fully agree. The html_encode function depends on the escape_html_tags setting. I've applied your patch and it works for the hosts "SDSL:Customer" and "John's server" in avail.cgi.
But it's not complete yet. Try "John's server" in the histogram.cgi and trends.cgi, and you'll get
<option value='John's server'>John's server
Maybe you'll have a look at this; I will also, but I don't have the time today.
During compile, I've got four warning messages:
avail.c:944: warning: pointer/integer type mismatch in conditional expression
history.c:207: warning: pointer/integer type mismatch in conditional expression
trends.c:861: warning: pointer/integer type mismatch in conditional expression
histogram.c:749: warning: pointer/integer type mismatch in conditional expression
They don't appear if I declare your escape_string function in the cgiutils.h files (I don't know the difference between cgiutils.h and cgiutils.h.in, so I patched both files).
Regards
Bernd
--
GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgiutils.h.diff
Type: application/octet-stream
Size: 533 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20080805/6d1751d3/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgiutils.h.in.diff
Type: application/octet-stream
Size: 539 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20080805/6d1751d3/attachment-0001.obj>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list