M text/text.go => text/text.go +1 -0
@@ 37,6 37,7 @@ func TextToHTML(w http.ResponseWriter, u *url.URL, rd *bufio.Reader, td template
fmt.Println(line)
}
line = util.StripSGR(line)
+ line = util.StripEscapes(line)
line = html.EscapeString(line)
io.WriteString(w, line)
}
M util/filter.go => util/filter.go +16 -1
@@ 1,10 1,11 @@
// SPDX-FileCopyrightText: 2020 Paul Gorman
-// SPDX-FileCopyrightText: 2021 Sotiris Papatheodorou
+// SPDX-FileCopyrightText: 2021-2022 Sotiris Papatheodorou
// SPDX-License-Identifier: GPL-3.0-or-later
package util
import (
+ "bytes"
"regexp"
)
@@ 15,3 16,17 @@ var sgrRegex = regexp.MustCompile(`\x1b\[([0-9]{1,3};)*[0-9]{0,3}m`)
func StripSGR(s string) string {
return sgrRegex.ReplaceAllString(s, "")
}
+
+// StripEscapes returns with all characters below ASCII 32 removed.
+func StripEscapes(s string) string {
+ // See the security recommendations from here:
+ // https://datatracker.ietf.org/doc/html/rfc1288#section-3.3
+ buf := bytes.Buffer{}
+ for i := 0; i < len(s); i++ {
+ b := s[i]
+ if b == 9 || b == 10 || b == 13 || b >= 32 {
+ buf.WriteByte(b)
+ }
+ }
+ return buf.String()
+}