Skip to content

Commit

Permalink
Add a function to escape Javascript characters
Browse files Browse the repository at this point in the history
  • Loading branch information
@oss-aimoto
oss-aimoto committed Jun 28, 2021
1 parent 00c315c commit 55ea0a0
Show file tree
Hide file tree
Showing 3 changed files with 85 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/mod_auth_openidc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ apr_byte_t oidc_post_preserve_javascript(request_rec *r, const char *location,
" </script>\n", jmethod, json,
location ?
apr_psprintf(r->pool, "window.location='%s';\n",
location) :
oidc_util_javascript_escape(r->pool, location)) :
"");
if (location == NULL) {
if (javascript_method)
Expand Down Expand Up @@ -516,7 +516,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
" document.forms[0].action = \"%s\";\n"
" document.forms[0].submit();\n"
" }\n"
" </script>\n", method, original_url);
" </script>\n", method, oidc_util_javascript_escape(r->pool, original_url));

const char *body = " <p>Restoring...</p>\n"
" <form method=\"post\"></form>\n";
Expand Down Expand Up @@ -1553,7 +1553,7 @@ static int oidc_session_redirect_parent_window_to_logout(request_rec *r,
char *java_script = apr_psprintf(r->pool,
" <script type=\"text/javascript\">\n"
" window.top.location.href = '%s?session=logout';\n"
" </script>\n", oidc_get_redirect_uri(r, c));
" </script>\n", oidc_util_javascript_escape(r->pool, oidc_get_redirect_uri(r, c)));

return oidc_util_html_send(r, "Redirecting...", java_script, NULL, NULL,
OK);
Expand Down
1 change: 1 addition & 0 deletions src/mod_auth_openidc.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -776,6 +776,7 @@ apr_byte_t oidc_json_object_get_string(apr_pool_t *pool, json_t *json, const cha
apr_byte_t oidc_json_object_get_int(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
apr_byte_t oidc_json_object_get_bool(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
char *oidc_util_html_escape(apr_pool_t *pool, const char *input);
char *oidc_util_javascript_escape(apr_pool_t *pool, const char *input);
void oidc_util_table_add_query_encoded_params(apr_pool_t *pool, apr_table_t *table, const char *params);
apr_hash_t * oidc_util_merge_key_sets(apr_pool_t *pool, apr_hash_t *k1, const apr_array_header_t *k2);
apr_hash_t * oidc_util_merge_key_sets_hash(apr_pool_t *pool, apr_hash_t *k1, apr_hash_t *k2);
Expand Down
81 changes: 81 additions & 0 deletions src/util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,87 @@ char* oidc_util_html_escape(apr_pool_t *pool, const char *s) {
return apr_pstrdup(pool, r);
}

/*
* JavaScript escape a string
*/
char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
const char *cp;
char *output;
size_t outputlen;
int i;

if (s == NULL) {
return NULL;
}

outputlen = 0;
for (cp = s; *cp; cp++) {
switch (*cp) {
case '\'':
case '"':
case '\\':
case '/':
case 0x0D:
case 0x0A:
outputlen += 2;
break;
case '<':
case '>':
outputlen += 4;
break;
default:
outputlen += 1;
break;
}
}

i = 0;
output = apr_palloc(pool, outputlen + 1);
for (cp = s; *cp; cp++) {
switch (*cp) {
case '\'':
(void)strcpy(&output[i], "\\'");
i += 2;
break;
case '"':
(void)strcpy(&output[i], "\\\"");
i += 2;
break;
case '\\':
(void)strcpy(&output[i], "\\\\");
i += 2;
break;
case '/':
(void)strcpy(&output[i], "\\/");
i += 2;
break;
case 0x0D:
(void)strcpy(&output[i], "\\r");
i += 2;
break;
case 0x0A:
(void)strcpy(&output[i], "\\n");
i += 2;
break;
case '<':
(void)strcpy(&output[i], "\\x3c");
i += 4;
break;
case '>':
(void)strcpy(&output[i], "\\x3e");
i += 4;
break;
default:
output[i] = *cp;
i += 1;
break;
}
}
output[i] = '\0';
return output;
}


/*
* get the URL scheme that is currently being accessed
*/
Expand Down

0 comments on commit 55ea0a0

Please sign in to comment.