[Openvas-commits] r12179 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Nov 24 11:11:21 CET 2011 

Author: hdoreau
Date: 2011-11-24 11:11:17 +0100 (Thu, 24 Nov 2011)
New Revision: 12179

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/xml.inc
Log:
* scripts/xml.inc: Escape XML content properly.


Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-24 09:53:31 UTC (rev 12178)
+++ trunk/openvas-plugins/ChangeLog	2011-11-24 10:11:17 UTC (rev 12179)
@@ -1,3 +1,7 @@
+2011-11-24  Henri Doreau <henri.doreau at gmail.com>
+
+	* scripts/xml.inc: Escape XML content properly.
+
 2011-11-24  Jan-Oliver Wagner <jan-oliver.wagner at greenbone.net>
 
 	* scripts/secpod_mutt_detect.nasl: Revised according

Modified: trunk/openvas-plugins/scripts/xml.inc
===================================================================
--- trunk/openvas-plugins/scripts/xml.inc	2011-11-24 09:53:31 UTC (rev 12178)
+++ trunk/openvas-plugins/scripts/xml.inc	2011-11-24 10:11:17 UTC (rev 12179)
@@ -32,7 +32,7 @@
     
     if (!isnull(attributes)) {
         foreach attr (keys(attributes)) {
-            res += ' ' + attr + '="' + attributes[attr] + '"';
+            res += ' ' + attr + '="' + xml_escape(attributes[attr]) + '"';
         }
     }
     res += '>';
@@ -45,7 +45,7 @@
 }
 
 function xml_tagline(tag, attributes, value) {
-    return xml_open_tag(tag:tag, attributes:attributes) + value + xml_close_tag(tag);
+    return xml_open_tag(tag:tag, attributes:attributes) + xml_escape(value) + xml_close_tag(tag);
 }
 
 function xml_open_comment() {
@@ -60,3 +60,27 @@
     return '\n';
 }
 
+function xml_escape() {
+  local_var escape_table, str, str_escaped, i;
+
+  escape_table = make_array(
+                      "&", "&amp;",
+                      "'", "&apos;",
+                      '"', "&quot;",
+                      "<", "&lt;",
+                      ">", "&gt;");
+
+  str_escaped = "";
+
+  str = _FCT_ANON_ARGS[0];
+  max_idx = strlen(str);
+
+  for (i = 0; i < max_idx; i++) {
+    if (!isnull(escape_table[str[i]]))
+      str_escaped += escape_table[str[i]];
+    else
+      str_escaped += str[i];
+  }
+  return str_escaped;
+}
+

More information about the Openvas-commits mailing list