From 5aaedbf7a4535ee48cc0b212fdee5a86b947ae73 Mon Sep 17 00:00:00 2001 From: Christopher Lam Date: Wed, 26 Apr 2023 22:11:25 +0800 Subject: [PATCH] [gnc-plugin-report-system] sanitize error html before adding to page The error backtrace usually contains < > characters. eg # or # etc. This commit will sanitize them to HTML entities so that they may be rendered properly in webkit. --- gnucash/gnome/gnc-plugin-report-system.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/gnucash/gnome/gnc-plugin-report-system.c b/gnucash/gnome/gnc-plugin-report-system.c index c42a9f6472..d6d58d3bd4 100644 --- a/gnucash/gnome/gnc-plugin-report-system.c +++ b/gnucash/gnome/gnc-plugin-report-system.c @@ -137,6 +137,24 @@ gnc_report_system_file_stream_cb (const char *location, char ** data, int *len) return (*len > 0); } +static char * +html_sanitize (const char *str) +{ + GString *gs = g_string_sized_new (strlen (str)); + for (const char *c = str; *c; c++) + { + if (*c == '&') + gs = g_string_append (gs, "&"); + else if (*c == '<') + gs = g_string_append (gs, "<"); + else if (*c == '>') + gs = g_string_append (gs, ">"); + else + gs = g_string_append_c (gs, *c); + } + return g_string_free (gs, FALSE); +} + static gboolean gnc_report_system_report_stream_cb (const char *location, char ** data, int *len) { @@ -147,12 +165,14 @@ gnc_report_system_report_stream_cb (const char *location, char ** data, int *len if (!ok) { + char *sanitized = html_sanitize (captured_str); *data = g_strdup_printf ("

%s

" "

%s

%s
", _("Report error"), _("An error occurred while running the report."), - captured_str); + sanitized); + g_free (sanitized); g_free(captured_str); /* Make sure the progress bar is finished, which will also