View Issue Details

IDProjectCategoryView StatusLast Update
0019407FPCPackagespublic2011-06-14 21:58
ReporterIdo Kanner Assigned ToMichael Van Canneyt  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Target Version2.6.0Fixed in Version2.6.0 
Summary0019407: htmlelemnts.pp does not contain escape and unescape routines for HTML
Descriptionhtmlelements.pp does not contain any code for escaping and un-escaping html code.

The following patch add basic html escaping and un-escaping that can be used everywhere.
TagsNo tags attached.
Fixed in Revision17718.
FPCOldBugId
FPCTarget
Attached Files

Activities

2011-05-24 10:07

 

htmlelemnts.pp.diff (1,706 bytes)   
Index: htmlelements.pp
===================================================================
--- htmlelements.pp	(revision 17544)
+++ htmlelements.pp	(working copy)
@@ -128,9 +128,31 @@
     procedure WriteToStream (const aStream : TStream);  override;
   end;
 
+function EscapeHTML(const s : String) : String;
+function UnescapeHTML(const s : String) : String;
+
 implementation
 
+function EscapeHTML ( const S : String ) : String;
+begin
+  Result := StringReplace(s,      '&', '&',  [rfReplaceAll]);
+  Result := StringReplace(Result, '<', '&lt;',   [rfReplaceAll]);
+  Result := StringReplace(Result, '>', '&gt;',   [rfReplaceAll]);
+  Result := StringReplace(Result, '"', '&quot;', [rfReplaceAll]);
+  Result := StringReplace(Result, #39, '&#39;',  [rfReplaceAll]); // ' - &apos; does not work on ie :(
+end;
 
+function UnescapeHTML ( const S : String ) : String;
+begin
+  Result := StringReplace(s,      '&amp;',  '&', [rfReplaceAll]);
+  Result := StringReplace(Result, '&lt;',   '<', [rfReplaceAll]);
+  Result := StringReplace(Result, '&gt;',   '>', [rfReplaceAll]);
+  Result := StringReplace(Result, '&quot;', '"', [rfReplaceAll]);
+  Result := StringReplace(Result, '&#39;',  #39, [rfReplaceAll]); // '
+  Result := StringReplace(Result, '&apos;', #39, [rfReplaceAll]); // '
+end; 
+
+
 { THtmlCustomElement }
 
 function THtmlCustomElement.GetAttributeName(index:integer): DOMString;
@@ -201,8 +223,7 @@
 
 function THtmlCustomElement.EscapeString(s: string): string;
 begin
-  result := s;
-  //TODO: Needs to convert all the special signs to their html names ("<" has to be "&lt;" etc.)
+  result := EscapeHTML(s);
 end;
 
 constructor THtmlCustomElement.create(AOwner: TDOMDocument);
htmlelemnts.pp.diff (1,706 bytes)   

Attila Borka

2011-05-25 08:47

reporter   ~0048557

Function HTTPDecode(const AStr: String): String;
Function HTTPEncode(const AStr: String): String;

in unit httpdefs.pp of fcl-web that can do this instead, right?

2011-05-25 09:32

 

htmlelemnts2.pp.diff (1,706 bytes)   
Index: htmlelements.pp
===================================================================
--- htmlelements.pp	(revision 17550)
+++ htmlelements.pp	(working copy)
@@ -128,9 +128,31 @@
     procedure WriteToStream (const aStream : TStream);  override;
   end;
 
+function EscapeHTML(const s : String) : String;
+function UnescapeHTML(const s : String) : String;
+
 implementation
 
+function EscapeHTML ( const S : String ) : String;
+begin
+  Result := StringReplace(s,      '&', '&amp;',  [rfReplaceAll]);
+  Result := StringReplace(Result, '<', '&lt;',   [rfReplaceAll]);
+  Result := StringReplace(Result, '>', '&gt;',   [rfReplaceAll]);
+  Result := StringReplace(Result, '"', '&quot;', [rfReplaceAll]);
+  Result := StringReplace(Result, #39, '&#39;',  [rfReplaceAll]); // ' - &apos; does not work on ie :(
+end;
 
+function UnescapeHTML ( const S : String ) : String;
+begin
+  Result := StringReplace(s,      '&lt;',   '<', [rfReplaceAll]);
+  Result := StringReplace(Result, '&gt;',   '>', [rfReplaceAll]);
+  Result := StringReplace(Result, '&quot;', '"', [rfReplaceAll]);
+  Result := StringReplace(Result, '&#39;',  #39, [rfReplaceAll]); // '
+  Result := StringReplace(Result, '&apos;', #39, [rfReplaceAll]); // '
+  Result := StringReplace(Result, '&amp;',  '&', [rfReplaceAll]);
+end; 
+
+
 { THtmlCustomElement }
 
 function THtmlCustomElement.GetAttributeName(index:integer): DOMString;
@@ -201,8 +223,7 @@
 
 function THtmlCustomElement.EscapeString(s: string): string;
 begin
-  result := s;
-  //TODO: Needs to convert all the special signs to their html names ("<" has to be "&lt;" etc.)
+  result := EscapeHTML(s);
 end;
 
 constructor THtmlCustomElement.create(AOwner: TDOMDocument);
htmlelemnts2.pp.diff (1,706 bytes)   

Ido Kanner

2011-05-25 09:34

reporter   ~0048561

moved the & to & replacement to the last line instead of the first line.
That fixes cases where "&lt;" converted into "<", and now it will convert it to "<" instead.

Ido Kanner

2011-05-25 09:35

reporter   ~0048562

Attila, no, they are for URI encoding, they does something different.
They changes chars to their hexa representative and not to html elements. If you place a link in your html and want to make sure that the GET parameters are escaped properly for the link itself, then you use it.

Michael Van Canneyt

2011-06-11 13:56

administrator   ~0049039

Added.
Note that these are poor man's encode and decode functions. I can see their use to create more or less errorless HTML.

But the HTMLDecode function is better replaced with ResolveHTMLEntityReference from htmldefs, which resolves far more symbols.

Issue History

Date Modified Username Field Change
2011-05-24 10:07 Ido Kanner New Issue
2011-05-24 10:07 Ido Kanner File Added: htmlelemnts.pp.diff
2011-05-24 11:15 Michael Van Canneyt Status new => assigned
2011-05-24 11:15 Michael Van Canneyt Assigned To => Michael Van Canneyt
2011-05-25 08:47 Attila Borka Note Added: 0048557
2011-05-25 09:32 Ido Kanner File Added: htmlelemnts2.pp.diff
2011-05-25 09:34 Ido Kanner Note Added: 0048561
2011-05-25 09:35 Ido Kanner Note Added: 0048562
2011-06-11 13:56 Michael Van Canneyt Fixed in Revision => 17718.
2011-06-11 13:56 Michael Van Canneyt Status assigned => resolved
2011-06-11 13:56 Michael Van Canneyt Fixed in Version => 2.5.1
2011-06-11 13:56 Michael Van Canneyt Resolution open => fixed
2011-06-11 13:56 Michael Van Canneyt Note Added: 0049039
2011-06-11 13:56 Michael Van Canneyt Target Version => 2.6.0
2011-06-14 21:58 Ido Kanner Status resolved => closed