gnucash stable: [gnc-plugin-report-system] sanitize error html before adding to page

Christopher Lam clam at code.gnucash.org
Wed Apr 26 10:14:04 EDT 2023 

Updated	 via  https://github.com/Gnucash/gnucash/commit/5aaedbf7 (commit)
	from  https://github.com/Gnucash/gnucash/commit/b7e966d8 (commit)



commit 5aaedbf7a4535ee48cc0b212fdee5a86b947ae73
Author: Christopher Lam <christopher.lck at gmail.com>
Date:   Wed Apr 26 22:11:25 2023 +0800

    [gnc-plugin-report-system] sanitize error html before adding to page
    
    The error backtrace usually contains < > characters. eg #<report>
    or #<procedure> etc. This commit will sanitize them to HTML entities
    so that they may be rendered properly in webkit.

diff --git a/gnucash/gnome/gnc-plugin-report-system.c b/gnucash/gnome/gnc-plugin-report-system.c
index c42a9f6472..d6d58d3bd4 100644
--- a/gnucash/gnome/gnc-plugin-report-system.c
+++ b/gnucash/gnome/gnc-plugin-report-system.c
@@ -137,6 +137,24 @@ gnc_report_system_file_stream_cb (const char *location, char ** data, int *len)
     return (*len > 0);
 }
 
+static char *
+html_sanitize (const char *str)
+{
+    GString *gs = g_string_sized_new (strlen (str));
+    for (const char *c = str; *c; c++)
+    {
+        if (*c == '&')
+            gs = g_string_append (gs, "&");
+        else if (*c == '<')
+            gs = g_string_append (gs, "<");
+        else if (*c == '>')
+            gs = g_string_append (gs, ">");
+        else
+            gs = g_string_append_c (gs, *c);
+    }
+    return g_string_free (gs, FALSE);
+}
+
 static gboolean
 gnc_report_system_report_stream_cb (const char *location, char ** data, int *len)
 {
@@ -147,12 +165,14 @@ gnc_report_system_report_stream_cb (const char *location, char ** data, int *len
 
     if (!ok)
     {
+        char *sanitized = html_sanitize (captured_str);
         *data = g_strdup_printf ("<html><body><h3>%s</h3>"
                                  "<p>%s</p><pre>%s</pre></body></html>",
                                  _("Report error"),
                                  _("An error occurred while running the report."),
-                                 captured_str);
+                                 sanitized);
 
+        g_free (sanitized);
         g_free(captured_str);
 
         /* Make sure the progress bar is finished, which will also



Summary of changes:
 gnucash/gnome/gnc-plugin-report-system.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

More information about the gnucash-changes mailing list