From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from krisdoz.my.domain (schwarze@localhost [127.0.0.1])
	by krisdoz.my.domain (8.14.5/8.14.5) with ESMTP id s9RGT7uQ019018
	for <source@mdocml.bsd.lv>; Mon, 27 Oct 2014 12:29:07 -0400 (EDT)
Received: (from schwarze@localhost)
	by krisdoz.my.domain (8.14.5/8.14.3/Submit) id s9RGT6NX000366;
	Mon, 27 Oct 2014 12:29:06 -0400 (EDT)
Date: Mon, 27 Oct 2014 12:29:06 -0400 (EDT)
Message-Id: <201410271629.s9RGT6NX000366@krisdoz.my.domain>
X-Mailinglist: mdocml-source
Reply-To: source@mdocml.bsd.lv
MIME-Version: 1.0
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: Handle output encoding for unicode, numbered and named escape 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
Handle output encoding for unicode, numbered and named escape sequences
in one common, safe way instead of three different ways.  In particular,
* skip NUL, it is used to mean "no output desired"
* deny 0x01-0x1F and 0x7F-0x9F, print REPLACEMENT CHARACTER instead
* print 0x20-0x7E literally or name-encoded, as required
* print characters above 0x9F numerically

Modified Files:
--------------
    mdocml:
        html.c

Revision Data
-------------
Index: html.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/html.c,v
retrieving revision 1.178
retrieving revision 1.179
diff -Lhtml.c -Lhtml.c -u -p -r1.178 -r1.179
--- html.c
+++ html.c
@@ -437,40 +437,28 @@ print_encode(struct html *h, const char 
 		case ESCAPE_UNICODE:
 			/* Skip past "u" header. */
 			c = mchars_num2uc(seq + 1, len - 1);
-
-			/*
-			 * XXX Security warning:
-			 * For now, forbid Unicode obfuscation of ASCII
-			 * characters.  An audit of the callers is
-			 * required before this can be removed.
-			 */
-
-			if (c < 0x80)
-				c = 0xFFFD;
-
-			printf("&#x%x;", c);
 			break;
 		case ESCAPE_NUMBERED:
 			c = mchars_num2char(seq, len);
-			if ( ! ('\0' == c || print_escape(c)))
-				putchar(c);
 			break;
 		case ESCAPE_SPECIAL:
 			c = mchars_spec2cp(h->symtab, seq, len);
-			if (c <= 0)
-				break;
-			if (c < 0x20 || c > 0x7e)
-				printf("&#%d;", c);
-			else if ( ! print_escape(c))
-				putchar(c);
 			break;
 		case ESCAPE_NOSPACE:
 			if ('\0' == *p)
 				nospace = 1;
-			break;
+			continue;
 		default:
-			break;
+			continue;
 		}
+		if (c <= 0)
+			continue;
+		if (c < 0x20 || (c > 0x7E && c < 0xA0))
+			c = 0xFFFD;
+		if (c > 0x7E)
+			printf("&#%d;", c);
+		else if ( ! print_escape(c))
+			putchar(c);
 	}
 
 	return(nospace);
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv