From 1c3fc2bbdba7d455f5525db665fe1222565d2145 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Wed, 10 Jan 2018 15:29:59 +0000
Subject: [PATCH] i2psnark: Fix double-escaping of '&' (ticket #2127)
---
.../org/klomp/snark/web/I2PSnarkServlet.java | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 1863a6c171..bb156c7afe 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -2784,7 +2784,7 @@ public class I2PSnarkServlet extends BasicServlet {
String link = urlEncode(s);
String display;
if (s.length() <= max)
- display = DataHelper.escapeHTML(link);
+ display = escapeHTML2(link);
else
display = DataHelper.escapeHTML(s.substring(0, max)) + "…";
buf.append("<a href=\"").append(link).append("\">").append(display).append("</a>");
@@ -2801,6 +2801,24 @@ public class I2PSnarkServlet extends BasicServlet {
.replace("[", "%5B").replace("]", "%5D");
}
+ private static final String escapeChars[] = {"\"", "<", ">", "'"};
+ private static final String escapeCodes[] = {""", "<", ">", "'"};
+
+ /**
+ * Modded from DataHelper.
+ * Does not escape ampersand. String must already have escaped ampersand.
+ * @param unescaped the unescaped string, non-null
+ * @return the escaped string
+ * @since 0.9.33
+ */
+ private static String escapeHTML2(String unescaped) {
+ String escaped = unescaped;
+ for (int i = 0; i < escapeChars.length; i++) {
+ escaped = escaped.replace(escapeChars[i], escapeCodes[i]);
+ }
+ return escaped;
+ }
+
private static final String DOCTYPE = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n";
private static final String HEADER_A = "<link href=\"";
private static final String HEADER_B = "snark.css?" + CoreVersion.VERSION + "\" rel=\"stylesheet\" type=\"text/css\" >";
--
GitLab