Variables encoded twice

Bernd Arnold bernd_a at gmx.de
Tue Aug 5 21:30:31 CEST 2008


> > So try
> > printf("<input type='hidden' name='host'
> > value='%s'>\n",html_encode(host_name,FALSE));
> 
> But this works only if you enable escape_html_tags in cgi.cfg.
> 
> New idea: I added a function escape_string() to clean all user supplied
> strings that get printed into html form values. Works for the above test
> cases independent of escape_html_tags. A updated patch is attached.
> 

Hi Armin,

I fully agree. The html_encode function depends on the escape_html_tags setting. I've applied your patch and it works for the hosts "SDSL:Customer" and "John's server" in avail.cgi.

But it's not complete yet. Try "John's server" in the histogram.cgi and trends.cgi, and you'll get
<option value='John's server'>John's server
Maybe you'll have a look at this; I will also, but I don't have the time today.

During compile, I've got four warning messages:
avail.c:944: warning: pointer/integer type mismatch in conditional expression
history.c:207: warning: pointer/integer type mismatch in conditional expression
trends.c:861: warning: pointer/integer type mismatch in conditional expression
histogram.c:749: warning: pointer/integer type mismatch in conditional expression

They don't appear if I declare your escape_string function in the cgiutils.h files (I don't know the difference between cgiutils.h and cgiutils.h.in, so I patched both files).

Regards
Bernd

-- 
GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgiutils.h.diff
Type: application/octet-stream
Size: 533 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20080805/6d1751d3/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgiutils.h.in.diff
Type: application/octet-stream
Size: 539 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20080805/6d1751d3/attachment-0001.obj>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list