follow OWASP recommendation for html escapes

svn path=/trunk/; revision=29

diff --git a/cgi.sh b/cgi.sh
index bba28548768d4f9ddef3e25c941bd13fe8529834..7ff73d0ca4c8effe4b1df85c851b38d3e902f6ec 100755 (executable)
--- a/cgi.sh
+++ b/cgi.sh
@@ -1,6 +1,6 @@
 #!/bin/zsh
 
-# Copyright 2014,2015 Paul Hänsch
+# Copyright 2014 - 2016 Paul Hänsch
 #
 # This file is part of shcgi.
 # 
@@ -70,25 +70,57 @@ cgi_cookie() { # Parse GET data from referer
   done
 }
 
-urlsafe(){
-  printf %s "$*" \
-  | sed 's;%;%25;g;
-         s;\?;%3f;g;
-         s;#;%23;g;
-         s;<;%3c;g;
-         s;>;%3e;g;
-         s;&;%26;g;
-         s;";%22;g;
-         s;'\'';%27;g;'
-}
-
 htmlsafe(){
+  # escape HTML code from string
+
   printf %s "$*" \
   | sed 's;&;\&amp\;;g;
          s;<;\&lt\;;g;
          s;>;\&gt\;;g;
          s;";\&quot\;;g;
-         s;'\'';\&apos\;;g;'
+         s;/;\&#x2F\;;g;
+         s;'\'';\&#x27\;;g;'
+}
+
+urlsafe(){
+  # Code every character in URL escape hex format
+  # except alphanumeric ascii
+
+  printf %s "$*" \
+  | hexdump -v -e '/1 ",%02X"' \
+  | tr , % \
+  | sed 's;%30;0;g; s;%31;1;g; s;%32;2;g; s;%33;3;g; s;%34;4;g; s;%35;5;g;
+         s;%36;6;g; s;%37;7;g; s;%38;8;g; s;%39;9;g;
+         s;%41;A;g; s;%42;B;g; s;%43;C;g; s;%44;D;g; s;%45;E;g; s;%46;F;g;
+         s;%47;G;g; s;%48;H;g; s;%49;I;g; s;%4A;J;g; s;%4B;K;g; s;%4C;L;g;
+         s;%4D;M;g; s;%4E;N;g; s;%4F;O;g; s;%50;P;g; s;%51;Q;g; s;%52;R;g;
+         s;%53;S;g; s;%54;T;g; s;%55;U;g; s;%56;V;g; s;%57;W;g; s;%58;X;g;
+         s;%59;Y;g; s;%5A;Z;g;
+         s;%61;a;g; s;%62;b;g; s;%63;c;g; s;%64;d;g; s;%65;e;g; s;%66;f;g;
+         s;%67;g;g; s;%68;h;g; s;%69;i;g; s;%6A;j;g; s;%6B;k;g; s;%6C;l;g;
+         s;%6D;m;g; s;%6E;n;g; s;%6F;o;g; s;%70;p;g; s;%71;q;g; s;%72;r;g;
+         s;%73;s;g; s;%74;t;g; s;%75;u;g; s;%76;v;g; s;%77;w;g; s;%78;x;g;
+         s;%79;y;g; s;%7A;z;g;'
+}
+
+attribsafe(){
+  # Code every character in HTML escape hex format
+  # except alphanumerig ascii
+
+  printf %s "$*" \
+  | hexdump -v -e '/1 "&#x%02X;"' \
+  | sed 's;&#x30\;;0;g; s;&#x31\;;1;g; s;&#x32\;;2;g; s;&#x33\;;3;g; s;&#x34\;;4;g; s;&#x35\;;5;g;
+         s;&#x36\;;6;g; s;&#x37\;;7;g; s;&#x38\;;8;g; s;&#x39\;;9;g;
+         s;&#x41\;;A;g; s;&#x42\;;B;g; s;&#x43\;;C;g; s;&#x44\;;D;g; s;&#x45\;;E;g; s;&#x46\;;F;g;
+         s;&#x47\;;G;g; s;&#x48\;;H;g; s;&#x49\;;I;g; s;&#x4A\;;J;g; s;&#x4B\;;K;g; s;&#x4C\;;L;g;
+         s;&#x4D\;;M;g; s;&#x4E\;;N;g; s;&#x4F\;;O;g; s;&#x50\;;P;g; s;&#x51\;;Q;g; s;&#x52\;;R;g;
+         s;&#x53\;;S;g; s;&#x54\;;T;g; s;&#x55\;;U;g; s;&#x56\;;V;g; s;&#x57\;;W;g; s;&#x58\;;X;g;
+         s;&#x59\;;Y;g; s;&#x5A\;;Z;g;
+         s;&#x61\;;a;g; s;&#x62\;;b;g; s;&#x63\;;c;g; s;&#x64\;;d;g; s;&#x65\;;e;g; s;&#x66\;;f;g;
+         s;&#x67\;;g;g; s;&#x68\;;h;g; s;&#x69\;;i;g; s;&#x6A\;;j;g; s;&#x6B\;;k;g; s;&#x6C\;;l;g;
+         s;&#x6D\;;m;g; s;&#x6E\;;n;g; s;&#x6F\;;o;g; s;&#x70\;;p;g; s;&#x71\;;q;g; s;&#x72\;;r;g;
+         s;&#x73\;;s;g; s;&#x74\;;t;g; s;&#x75\;;u;g; s;&#x76\;;v;g; s;&#x77\;;w;g; s;&#x78\;;x;g;
+         s;&#x79\;;y;g; s;&#x7A\;;z;g;'
 }
 
 redirect(){