From 70436f237f896aa7651ef259c16a19302e85df38 Mon Sep 17 00:00:00 2001 From: Scott Worley <scottworley@scottworley.com> Date: Sat, 24 Aug 2024 03:24:01 -0700 Subject: [PATCH] Escape HTML characters properly --- Changelog | 1 + src/lib.rs | 149 ++++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 108 insertions(+), 42 deletions(-) diff --git a/Changelog b/Changelog index 347ca9e..a0f0693 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,6 @@ ## [Unreleased] - Center text in each cell +- Escape HTML characters properly ## [0.2.1] - 2024-08-20 - A little more space up top diff --git a/src/lib.rs b/src/lib.rs index e636bb2..370eb5d 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -38,6 +38,43 @@ const FOOTER: &str = " </tbody> </body> </html>"; +#[derive(PartialEq, Eq, Debug)] +pub struct HTML(String); +impl HTML { + fn escape(value: &str) -> HTML { + let mut escaped: String = String::new(); + for c in value.chars() { + match c { + '>' => escaped.push_str(">"), + '<' => escaped.push_str("<"), + '\'' => escaped.push_str("'"), + '"' => escaped.push_str("""), + '&' => escaped.push_str("&"), + ok_c => escaped.push(ok_c), + } + } + HTML(escaped) + } +} +impl From<&str> for HTML { + fn from(value: &str) -> HTML { + HTML(String::from(value)) + } +} +impl FromIterator<HTML> for HTML { + fn from_iter<T>(iter: T) -> HTML + where + T: IntoIterator<Item = HTML>, + { + HTML(iter.into_iter().map(|html| html.0).collect::<String>()) + } +} +impl std::fmt::Display for HTML { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + write!(f, "{}", self.0) + } +} + #[derive(Debug, PartialEq, Eq, Hash)] struct Entry { col: String, @@ -148,54 +185,62 @@ fn column_order(rows: &[RowInput]) -> Vec<String> { .collect() } -fn render_instance(entry: &Entry) -> String { +fn render_instance(entry: &Entry) -> HTML { match &entry.instance { - None => String::from("â"), - Some(instance) => String::from(instance), + None => HTML::from("â"), + Some(instance) => HTML::escape(instance.as_ref()), } } -fn render_cell(col: &str, row: &RowInput) -> String { - // TODO: Escape HTML special characters - let row_label = &row.label; +fn render_cell(col: &str, row: &RowInput) -> HTML { + let row_label = HTML::escape(row.label.as_ref()); + let col_label = HTML::escape(col); let entries: Vec<&Entry> = row.entries.iter().filter(|e| e.col == col).collect(); - let class = if entries.is_empty() { "" } else { "yes" }; + let class = HTML::from(if entries.is_empty() { "" } else { "yes" }); let all_empty = entries.iter().all(|e| e.instance.is_none()); let contents = if entries.is_empty() || (all_empty && entries.len() == 1) { - String::new() + HTML::from("") } else if all_empty { - format!("{}", entries.len()) + HTML(format!("{}", entries.len())) } else { - entries - .iter() - .map(|i| render_instance(i)) - .collect::<Vec<_>>() - .join(" ") + HTML( + entries + .iter() + .map(|i| render_instance(i)) + .map(|html| html.0) // Waiting for slice_concat_trait to stabilize + .collect::<Vec<_>>() + .join(" "), + ) }; - format!("<td class=\"{class}\" onmouseover=\"h2('{row_label}','{col}')\" onmouseout=\"ch2('{row_label}','{col}')\">{contents}</td>") + HTML(format!("<td class=\"{class}\" onmouseover=\"h2('{row_label}','{col_label}')\" onmouseout=\"ch2('{row_label}','{col_label}')\">{contents}</td>")) } -fn render_row(columns: &[String], row: &RowInput) -> String { +fn render_row(columns: &[String], row: &RowInput) -> HTML { // This is O(n^2) & doesn't need to be - // TODO: Escape HTML special characters - let row_label = &row.label; - format!( + let row_label = HTML::escape(row.label.as_ref()); + HTML(format!( "<tr><th id=\"{row_label}\">{row_label}</th>{}</tr>\n", &columns .iter() .map(|col| render_cell(col, row)) - .collect::<String>() - ) + .collect::<HTML>() + )) } -fn render_column_headers(columns: &[String]) -> String { - // TODO: Escape HTML special characters - String::from("<tr class=\"key\"><th></th>") - + &columns.iter().fold(String::new(), |mut acc, c| { - write!(&mut acc, "<th id=\"{c}\"><div><div>{c}</div></div></th>").unwrap(); - acc - }) - + "</tr>\n" +fn render_column_headers(columns: &[String]) -> HTML { + HTML( + String::from("<tr class=\"key\"><th></th>") + + &columns.iter().fold(String::new(), |mut acc, col| { + let col_header = HTML::escape(col.as_ref()); + write!( + &mut acc, + "<th id=\"{col_header}\"><div><div>{col_header}</div></div></th>" + ) + .unwrap(); + acc + }) + + "</tr>\n", + ) } /// # Errors @@ -204,16 +249,16 @@ fn render_column_headers(columns: &[String]) -> String { /// * there's an i/o error while reading `input` /// * the log has invalid syntax: /// * an indented line with no preceding non-indented line -pub fn tablify(input: impl std::io::Read) -> Result<String, std::io::Error> { +pub fn tablify(input: impl std::io::Read) -> Result<HTML, std::io::Error> { let rows = read_rows(input).collect::<Result<Vec<_>, _>>()?; let columns = column_order(&rows); - Ok(String::from(HEADER) - + &render_column_headers(&columns) - + &rows - .into_iter() + Ok(HTML(format!( + "{HEADER}{}{}{FOOTER}", + render_column_headers(&columns), + rows.into_iter() .map(|r| render_row(&columns, &r)) - .collect::<String>() - + FOOTER) + .collect::<HTML>() + ))) } #[cfg(test)] @@ -385,7 +430,7 @@ mod tests { entries: vec![] } ), - String::from("<td class=\"\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") + HTML::from("<td class=\"\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") ); assert_eq!( render_cell( @@ -395,7 +440,7 @@ mod tests { entries: vec![Entry::from("bar")] } ), - String::from("<td class=\"\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") + HTML::from("<td class=\"\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") ); assert_eq!( render_cell( @@ -405,7 +450,7 @@ mod tests { entries: vec![Entry::from("foo")] } ), - String::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") + HTML::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\"></td>") ); assert_eq!( render_cell( @@ -415,7 +460,7 @@ mod tests { entries: vec![Entry::from("foo"), Entry::from("foo")] } ), - String::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">2</td>") + HTML::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">2</td>") ); assert_eq!( render_cell( @@ -425,7 +470,7 @@ mod tests { entries: vec![Entry::from("foo: 5"), Entry::from("foo: 10")] } ), - String::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">5 10</td>") + HTML::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">5 10</td>") ); assert_eq!( render_cell( @@ -435,7 +480,27 @@ mod tests { entries: vec![Entry::from("foo: 5"), Entry::from("foo")] } ), - String::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">5 â</td>") + HTML::from("<td class=\"yes\" onmouseover=\"h2('nope','foo')\" onmouseout=\"ch2('nope','foo')\">5 â</td>") + ); + assert_eq!( + render_cell( + "heart", + &RowInput { + label: String::from("nope"), + entries: vec![Entry::from("heart: <3")] + } + ), + HTML::from("<td class=\"yes\" onmouseover=\"h2('nope','heart')\" onmouseout=\"ch2('nope','heart')\"><3</td>") + ); + assert_eq!( + render_cell( + "foo", + &RowInput { + label: String::from("bob's"), + entries: vec![Entry::from("foo")] + } + ), + HTML::from("<td class=\"yes\" onmouseover=\"h2('bob's','foo')\" onmouseout=\"ch2('bob's','foo')\"></td>") ); } } -- 2.47.2