From 75c6b19a1a9df431a769f9770f971e47e3093a47 Mon Sep 17 00:00:00 2001
From: Fabrizio Furano <furano@cern.ch>
Date: Fri, 6 Aug 2021 10:59:58 +0200
Subject: [PATCH] XML-quote error messages sent through XrdHttp

---
 src/XrdHttp/XrdHttpReq.cc   |  6 +++++-
 src/XrdHttp/XrdHttpUtils.cc | 29 -----------------------------
 src/XrdHttp/XrdHttpUtils.hh |  3 ---
 3 files changed, 5 insertions(+), 33 deletions(-)

diff --git a/src/XrdHttp/XrdHttpReq.cc b/src/XrdHttp/XrdHttpReq.cc
index e608dc7128b..7ab3b3917d7 100644
--- a/src/XrdHttp/XrdHttpReq.cc
+++ b/src/XrdHttp/XrdHttpReq.cc
@@ -639,8 +639,12 @@ bool XrdHttpReq::Error(XrdXrootd::Bridge::Context &info, //!< the result context
 
   xrdresp = kXR_error;
   xrderrcode = (XErrorCode) ecode;
-  obfuscatepath(this->etext, etext_);
 
+  if (etext_) {
+    char *s = escapeXML(etext_);
+    this->etext = s;
+    free(s);
+  }
 
   if (PostProcessHTTPReq()) reset();
 
diff --git a/src/XrdHttp/XrdHttpUtils.cc b/src/XrdHttp/XrdHttpUtils.cc
index e2af558ea63..34e80b125eb 100644
--- a/src/XrdHttp/XrdHttpUtils.cc
+++ b/src/XrdHttp/XrdHttpUtils.cc
@@ -439,32 +439,3 @@ char *escapeXML(const char *str) {
 
 
 
-// If the text contains a path then it will not be seen as such by wannabe security tests
-// Returns the number of chars that have been substituted
-int obfuscatepath(std::string &strout, const char *strin) {
-  int l = strlen(strin);
-  strout.clear();
-  int i, j = 0;
-
-  for (i = 0; i < l; i++) {
-    const char c = strin[i];
-
-    switch (c) {
-      case '/':
-        strout.append(" / ");
-        j++;
-        break;
-      case '\\':
-        strout.append(" \\ ");
-        j++;
-        break;
-      default:
-        strout.push_back(c);
-    }
-  }
-
-
-  return j;
-}
-
-
diff --git a/src/XrdHttp/XrdHttpUtils.hh b/src/XrdHttp/XrdHttpUtils.hh
index 09c1a0b2cbe..67d334bf11d 100644
--- a/src/XrdHttp/XrdHttpUtils.hh
+++ b/src/XrdHttp/XrdHttpUtils.hh
@@ -90,9 +90,6 @@ char *unquote(char *str);
 char *escapeXML(const char *str);
 
 
-// If the text contains a path then it will not be seen as such by wannabe security tests
-// // Returns the number of chars that have been substituted
-int obfuscatepath(std::string &, const char *);
  
 #endif	/* XRDHTTPUTILS_HH */