Skip to content

Commit 55ea0a0

Browse files
committed
Add a function to escape Javascript characters
1 parent 00c315c commit 55ea0a0

File tree

3 files changed

+85
-3
lines changed

3 files changed

+85
-3
lines changed

Diff for: src/mod_auth_openidc.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -468,7 +468,7 @@ apr_byte_t oidc_post_preserve_javascript(request_rec *r, const char *location,
468468
" </script>\n", jmethod, json,
469469
location ?
470470
apr_psprintf(r->pool, "window.location='%s';\n",
471-
location) :
471+
oidc_util_javascript_escape(r->pool, location)) :
472472
"");
473473
if (location == NULL) {
474474
if (javascript_method)
@@ -516,7 +516,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
516516
" document.forms[0].action = \"%s\";\n"
517517
" document.forms[0].submit();\n"
518518
" }\n"
519-
" </script>\n", method, original_url);
519+
" </script>\n", method, oidc_util_javascript_escape(r->pool, original_url));
520520

521521
const char *body = " <p>Restoring...</p>\n"
522522
" <form method=\"post\"></form>\n";
@@ -1553,7 +1553,7 @@ static int oidc_session_redirect_parent_window_to_logout(request_rec *r,
15531553
char *java_script = apr_psprintf(r->pool,
15541554
" <script type=\"text/javascript\">\n"
15551555
" window.top.location.href = '%s?session=logout';\n"
1556-
" </script>\n", oidc_get_redirect_uri(r, c));
1556+
" </script>\n", oidc_util_javascript_escape(r->pool, oidc_get_redirect_uri(r, c)));
15571557

15581558
return oidc_util_html_send(r, "Redirecting...", java_script, NULL, NULL,
15591559
OK);

Diff for: src/mod_auth_openidc.h

+1
Original file line numberDiff line numberDiff line change
@@ -776,6 +776,7 @@ apr_byte_t oidc_json_object_get_string(apr_pool_t *pool, json_t *json, const cha
776776
apr_byte_t oidc_json_object_get_int(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
777777
apr_byte_t oidc_json_object_get_bool(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
778778
char *oidc_util_html_escape(apr_pool_t *pool, const char *input);
779+
char *oidc_util_javascript_escape(apr_pool_t *pool, const char *input);
779780
void oidc_util_table_add_query_encoded_params(apr_pool_t *pool, apr_table_t *table, const char *params);
780781
apr_hash_t * oidc_util_merge_key_sets(apr_pool_t *pool, apr_hash_t *k1, const apr_array_header_t *k2);
781782
apr_hash_t * oidc_util_merge_key_sets_hash(apr_pool_t *pool, apr_hash_t *k1, apr_hash_t *k2);

Diff for: src/util.c

+81
Original file line numberDiff line numberDiff line change
@@ -366,6 +366,87 @@ char* oidc_util_html_escape(apr_pool_t *pool, const char *s) {
366366
return apr_pstrdup(pool, r);
367367
}
368368

369+
/*
370+
* JavaScript escape a string
371+
*/
372+
char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
373+
const char *cp;
374+
char *output;
375+
size_t outputlen;
376+
int i;
377+
378+
if (s == NULL) {
379+
return NULL;
380+
}
381+
382+
outputlen = 0;
383+
for (cp = s; *cp; cp++) {
384+
switch (*cp) {
385+
case '\'':
386+
case '"':
387+
case '\\':
388+
case '/':
389+
case 0x0D:
390+
case 0x0A:
391+
outputlen += 2;
392+
break;
393+
case '<':
394+
case '>':
395+
outputlen += 4;
396+
break;
397+
default:
398+
outputlen += 1;
399+
break;
400+
}
401+
}
402+
403+
i = 0;
404+
output = apr_palloc(pool, outputlen + 1);
405+
for (cp = s; *cp; cp++) {
406+
switch (*cp) {
407+
case '\'':
408+
(void)strcpy(&output[i], "\\'");
409+
i += 2;
410+
break;
411+
case '"':
412+
(void)strcpy(&output[i], "\\\"");
413+
i += 2;
414+
break;
415+
case '\\':
416+
(void)strcpy(&output[i], "\\\\");
417+
i += 2;
418+
break;
419+
case '/':
420+
(void)strcpy(&output[i], "\\/");
421+
i += 2;
422+
break;
423+
case 0x0D:
424+
(void)strcpy(&output[i], "\\r");
425+
i += 2;
426+
break;
427+
case 0x0A:
428+
(void)strcpy(&output[i], "\\n");
429+
i += 2;
430+
break;
431+
case '<':
432+
(void)strcpy(&output[i], "\\x3c");
433+
i += 4;
434+
break;
435+
case '>':
436+
(void)strcpy(&output[i], "\\x3e");
437+
i += 4;
438+
break;
439+
default:
440+
output[i] = *cp;
441+
i += 1;
442+
break;
443+
}
444+
}
445+
output[i] = '\0';
446+
return output;
447+
}
448+
449+
369450
/*
370451
* get the URL scheme that is currently being accessed
371452
*/

0 commit comments

Comments
 (0)