html: Don't escape ASCII chars in href attributes

In several cases, href attributes can contain ASCII characters which are illegal in URIs. Escaping them often does more harm than good. Fixes #321.
2025-03-28 21:33:13 +00:00 · 2022-11-14 21:02:15 +01:00 · 2022-11-14 21:02:15 +01:00 · 76d6b0d768
commit 76d6b0d768
parent 4955e0c9e1
5 changed files with 15 additions and 10 deletions
--- a/HTMLtree.c
+++ b/HTMLtree.c
@ -701,10 +701,15 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur) {
 		while (IS_BLANK_CH(*tmp)) tmp++;

 		/*
-		 * the < and > have already been escaped at the entity level
-		 * And doing so here breaks server side includes
+                 * Angle brackets are technically illegal in URIs, but they're
+                 * used in server side includes, for example. Curly brackets
+                 * are illegal as well and often used in templates.
+                 * Don't escape non-whitespace, printable ASCII chars for
+                 * improved interoperability. Only escape space, control
+                 * and non-ASCII chars.
 		 */
-		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
+		escaped = xmlURIEscapeStr(tmp,
+                        BAD_CAST "\"#$%&+,/:;<=>?@[\\]^`{|}");
 		if (escaped != NULL) {
 		    xmlBufWriteQuotedString(buf->buffer, escaped);
 		    xmlFree(escaped);
--- a/result/HTML/doc3.htm
+++ b/result/HTML/doc3.htm
@ -47,7 +47,7 @@ eval("page" + id + " = window.open(URL, '" + id + "', 'toolbars=0, scrollbars=0,
    <td valign="top" width="31"><a href="http://bp6.gamesquad.net/"><img align="bottom" border="0" height="74" src="doc3_files/logo.gif" width="252"></a></td>
    <td align="left" bgcolor="#000000">
 <img height="15" src="doc3_files/spacer.gif" width="15"><!-- START GAMESQUAD.NET IFRAME RICH MEDIA CODE --> <!-- © 2000 GameSquad.net All Rights Reserved. --><iframe border="0" frameborder="no" height="60" marginheight="0" marginwidth="0" scrolling="no" src="doc3_files/adcycle.htm" width="468">
-<a href="http://ads.gamesquad.net/addclick.exe/adclick.cgi?REGION=game%7Ctech%7Cent&amp;id=1" target="_top"><img src="http://ads.gamesquad.net/addclick.exe/adcycle.cgi?group=52&amp;media=1&amp;id=1" width="468" height="60" border="0" alt="GSN ROS Ad"></a>
+<a href="http://ads.gamesquad.net/addclick.exe/adclick.cgi?REGION=game|tech|ent&amp;id=1" target="_top"><img src="http://ads.gamesquad.net/addclick.exe/adcycle.cgi?group=52&amp;media=1&amp;id=1" width="468" height="60" border="0" alt="GSN ROS Ad"></a>
 </iframe><!-- END GAMESQUAD.NET IFRAME RICH MEDIA CODE --><br><img height="15" src="doc3_files/spacer.gif" width="400"> </td>
 </tr>
  <tr>
--- a/result/HTML/utf8bug.html
+++ b/result/HTML/utf8bug.html
@ -43,7 +43,7 @@
 درباره من </a></span> <span class="Item">
 <a href="RSS2.asp">

-<img src="showimage.aspx?path=Files_Upload%5C192.png&amp;width=%&gt;" border="0">
+<img src="showimage.aspx?path=Files_Upload\192.png&amp;width=%&gt;" border="0">
 RSS </a></span> <span class="Item">
 <a href="">
 </a></span>
@ -117,8 +117,8 @@ function ChangeSize( trgt,sz ) {
 			
 			<div class="Image">
 				
-				<a href="showimage.aspx?path=Files_Upload%5C302.JPG&amp;Width=" rel="lightbox" title="شهير بلاگ">
-				<img src="showimage.aspx?path=Files_Upload%5C302.JPG&amp;Width=220" align="left" border="1">
+				<a href="showimage.aspx?path=Files_Upload\302.JPG&amp;Width=" rel="lightbox" title="شهير بلاگ">
+				<img src="showimage.aspx?path=Files_Upload\302.JPG&amp;Width=220" align="left" border="1">
 				</a>
 </div>
 			<strong><font size="4"><font color="#0000ff">عکس</font> <font color="#0000ff">محصول هنر یکی از همکاران است. روی آن کلیک کند.</font></font></strong><s1>  </s1>
--- a/result/HTML/wired.html
+++ b/result/HTML/wired.html
@ -234,7 +234,7 @@
    <td bgcolor="#99FF99"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#000000"><a href="http://redirect.wired.com/redir/51/http://stocks.wired.com/">Today's Summary</a></font></td>
  </tr>
  <tr> 
-    <td bgcolor="#CCFFCC"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#000000"><a href="http://r.wired.com/r/hb_fin_r_wn_top/http://stocks.wired.com/stocks_indexes_detail.asp?Symbol=%24WIRED">Wired Index</a> | <a href="http://redirect.wired.com/redir/52/http://stocks.wired.com/stocks_indexes.asp%20">All Indexes</a></font></td>
+    <td bgcolor="#CCFFCC"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#000000"><a href="http://r.wired.com/r/hb_fin_r_wn_top/http://stocks.wired.com/stocks_indexes_detail.asp?Symbol=$WIRED">Wired Index</a> | <a href="http://redirect.wired.com/redir/52/http://stocks.wired.com/stocks_indexes.asp%20">All Indexes</a></font></td>
  </tr>
  <tr> 
    <td bgcolor="#99FF99"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#000000"><a href="http://redirect.wired.com/redir/53/http://stocks.wired.com/stocks_portfolios.asp">Portfolios</a></font></td>
--- a/uri.c
+++ b/uri.c
@ -1673,8 +1673,8 @@ xmlURIUnescapeString(const char *str, int len, char *target) {
 * @str:  string to escape
 * @list: exception list string of chars not to escape
 *
- * This routine escapes a string to hex, ignoring reserved characters (a-z)
- * and the characters in the exception list.
+ * This routine escapes a string to hex, ignoring reserved characters
+ * (a-z, A-Z, 0-9, "@-_.!~*'()") and the characters in the exception list.
 *
 * Returns a new escaped string or NULL in case of error.
 */