From b54dacbeb2f8711495bb4998d5a94268d47804b2 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Wed, 27 Feb 2013 07:58:41 -0800 Subject: [PATCH] Ensure all strings stored in XML are escaped correctly This does escaping / quoting for everything I found. Some of it was safe (the divecomputer model is supplied from libdivecomputer, and none of them have single quotes _yet_, afaik), but with this there are no '%s' strings left except for the ones used by the helper functions (for "pre" and "post" strings). It also takes some of our existing uses of show_utf8(), and removes the redundant "check if the string is NULL or empty". show_utf8() does that internally. Fixes #73 Signed-off-by: Linus Torvalds Signed-off-by: Dirk Hohndel --- save-xml.c | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/save-xml.c b/save-xml.c index b3bf9701d..0685c9fd1 100644 --- a/save-xml.c +++ b/save-xml.c @@ -288,8 +288,7 @@ static void save_cylinder_info(FILE *f, struct dive *dive) if (volume) show_milli(f, " size='", volume, " l", "'"); show_pressure(f, cylinder->type.workingpressure, " workpressure='", "'"); - if (description && *description) - fprintf(f, " description='%s'", description); + show_utf8(f, description, " description='", "'", 1); if (o2) { fprintf(f, " o2='%u.%u%%'", FRACTION(o2, 10)); if (he) @@ -315,8 +314,7 @@ static void save_weightsystem_info(FILE *f, struct dive *dive) return; fprintf(f, " \n"); } } @@ -418,8 +416,7 @@ static void save_samples(FILE *f, int nr, struct sample *s) static void save_dc(FILE *f, struct dive *dive, struct divecomputer *dc) { fprintf(f, " model) - show_utf8(f, dc->model, " model='", "'", 1); + show_utf8(f, dc->model, " model='", "'", 1); if (dc->deviceid) fprintf(f, " deviceid='%08x'", dc->deviceid); if (dc->diveid) @@ -478,11 +475,9 @@ static void save_trip(FILE *f, dive_trip_t *trip) fprintf(f, "when); - if (trip->location) - show_utf8(f, trip->location, " location=\'","\'", 1); + show_utf8(f, trip->location, " location=\'","\'", 1); fprintf(f, ">\n"); - if (trip->notes) - show_utf8(f, trip->notes, "","\n", 0); + show_utf8(f, trip->notes, "","\n", 0); /* * Incredibly cheesy: we want to save the dives sorted, and they @@ -523,13 +518,12 @@ static void save_one_device(FILE *f, struct device_info *info) if (!serial_nr && !nickname && !firmware) return; - fprintf(f, "model, info->deviceid); - if (serial_nr) - show_utf8(f, serial_nr, " serial='", "'", 1); - if (firmware) - show_utf8(f, firmware, " firmware='", "'", 1); - if (nickname) - show_utf8(f, nickname, " nickname='", "'", 1); + fprintf(f, "model, " model='", "'", 1); + fprintf(f, " deviceid='%08x'", info->deviceid); + show_utf8(f, serial_nr, " serial='", "'", 1); + show_utf8(f, firmware, " firmware='", "'", 1); + show_utf8(f, nickname, " nickname='", "'", 1); fprintf(f, "/>\n"); }