Escape URL when rewriting DASH responses.

This commit is contained in:
Kavin 2023-12-14 05:03:08 +00:00
parent 7586ae314b
commit 19dca8bdd0
No known key found for this signature in database
GPG key ID: 6E4598CA5C92C41F

View file

@ -410,7 +410,8 @@ async fn index(req: HttpRequest) -> Result<HttpResponse, Box<dyn Error>> {
for capture in captures { for capture in captures {
let url = capture.get(1).unwrap().as_str(); let url = capture.get(1).unwrap().as_str();
let new_url = localize_url(url, host.as_str()); let new_url = localize_url(url, host.as_str());
new_resp = new_resp.replace(url, new_url.as_str()); let new_url = escape_xml(new_url.as_str());
new_resp = new_resp.replace(url, new_url.as_ref());
} }
return Ok(response.body(new_resp)); return Ok(response.body(new_resp));
} }
@ -635,6 +636,27 @@ fn finalize_url(path: &str, query: BTreeMap<String, String>) -> String {
format!("{}?{}", path, query) format!("{}?{}", path, query)
} }
pub fn escape_xml(raw: &str) -> Cow<'_, str> {
if !raw.contains(&['<', '>', '&', '\'', '"'][..]) {
// If there are no characters to escape, return the original string.
Cow::Borrowed(raw)
} else {
// If there are characters to escape, build a new string with the replacements.
let mut escaped = String::with_capacity(raw.len());
for c in raw.chars() {
match c {
'<' => escaped.push_str("&lt;"),
'>' => escaped.push_str("&gt;"),
'&' => escaped.push_str("&amp;"),
'\'' => escaped.push_str("&apos;"),
'"' => escaped.push_str("&quot;"),
_ => escaped.push(c),
}
}
Cow::Owned(escaped)
}
}
fn localize_url(url: &str, host: &str) -> String { fn localize_url(url: &str, host: &str) -> String {
if url.starts_with("https://") { if url.starts_with("https://") {
let url = Url::parse(url).unwrap(); let url = Url::parse(url).unwrap();