diff --git a/src/util/conv.c b/src/util/conv.c index 5beb001f..095dba40 100644 --- a/src/util/conv.c +++ b/src/util/conv.c @@ -275,7 +275,7 @@ struct string * add_html_to_string(struct string *string, const unsigned char *src, int len) { for (; len; len--, src++) { - if (*src < 0x20 || *src >= 0x7F + if (*src < 0x20 || *src == '<' || *src == '>' || *src == '&' || *src == '\"' || *src == '\'') { int rollback_length = string->length; diff --git a/src/util/conv.h b/src/util/conv.h index 86d220cc..d247ac69 100644 --- a/src/util/conv.h +++ b/src/util/conv.h @@ -76,7 +76,12 @@ add_string_replace(struct string *string, unsigned char *src, int len, #define add_real_optname_to_string(str, src, len) \ add_string_replace(str, src, len, '*', '.') -/* Convert reserved chars to html &#xx */ +/* Convert reserved chars to html &#xx;. This function copies bytes + * 0x80...0xFF unchanged, so the caller should ensure that the + * resulting HTML will be parsed with the same charset as the original + * string. (This function cannot use the   syntax for non-ASCII, + * because HTML wants Unicode numbers there and this function does not + * know the charset of the input data.) */ struct string *add_html_to_string(struct string *string, const unsigned char *html, int htmllen); /* Escapes \ and " with a \ */