From 986fef7edfbd7c029d624e8921d2aa6e228ccfcb Mon Sep 17 00:00:00 2001
From: Nedko Arnaudov <nedko@arnaudov.name>
Date: Sat, 12 Dec 2009 17:14:04 +0200
Subject: [PATCH] daemon: escape app strings (name, command) whens storing them
 in xml. Closes #27

---
 daemon/cmd_load_studio.c |  4 ++-
 daemon/cmd_save_studio.c | 57 +++++++++++++++++++++++++++++-----------
 daemon/escape.c          |  2 ++
 3 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/daemon/cmd_load_studio.c b/daemon/cmd_load_studio.c
index 4e472b47..03b972d4 100644
--- a/daemon/cmd_load_studio.c
+++ b/daemon/cmd_load_studio.c
@@ -788,7 +788,9 @@ static void callback_elend(void * data, const char * el)
   }
   else if (context_ptr->element[context_ptr->depth] == PARSE_CONTEXT_APPLICATION)
   {
-    context_ptr->data[context_ptr->data_used] = 0;
+    context_ptr->data[unescape(context_ptr->data, context_ptr->data_used, context_ptr->data)] = 0;
+    unescape(context_ptr->str, strlen(context_ptr->str) + 1, context_ptr->str);
+
     log_info("application '%s' (%s, %s, level %u) with commandline '%s'", context_ptr->str, context_ptr->terminal ? "terminal" : "shell", context_ptr->autorun ? "autorun" : "stopped", (unsigned int)context_ptr->level, context_ptr->data);
 
     if (!ladish_app_supervisor_add(g_studio.app_supervisor, context_ptr->str, context_ptr->autorun, context_ptr->data, context_ptr->terminal, context_ptr->level))
diff --git a/daemon/cmd_save_studio.c b/daemon/cmd_save_studio.c
index 74d49faa..77bf2011 100644
--- a/daemon/cmd_save_studio.c
+++ b/daemon/cmd_save_studio.c
@@ -562,67 +562,94 @@ bool save_studio_connection(void * context, ladish_port_handle port1_handle, lad
 bool save_studio_app(void * context, const char * name, bool running, const char * command, bool terminal, uint8_t level)
 {
   char buf[100];
+  const char * unescaped_string;
+  char * escaped_string;
+  char * escaped_buffer;
+  bool ret;
 
   log_info("saving app: name='%s', %srunning, %s, level %u, commandline='%s'", name, running ? "" : "not ", terminal ? "terminal" : "shell", (unsigned int)level, command);
 
-  if (!write_string(fd, "    <application name=\""))
+  ret = false;
+
+  escaped_buffer = malloc(ladish_max(strlen(name), strlen(command)) * 3 + 1); /* encode each char in three bytes (percent encoding) */
+  if (escaped_buffer == NULL)
   {
-    return false;
+    log_error("malloc() failed.");
+    goto exit;
   }
 
-  if (!write_string(fd, name))
+  if (!write_string(fd, "    <application name=\""))
   {
-    return false;
+    goto free_buffer;
+  }
+
+  unescaped_string = name;
+  escaped_string = escaped_buffer;
+  escape(&unescaped_string, &escaped_string);
+  *escaped_string = 0;
+  if (!write_string(fd, escaped_buffer))
+  {
+    goto free_buffer;
   }
 
   if (!write_string(fd, "\" terminal=\""))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, terminal ? "true" : "false"))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, "\" level=\""))
   {
-    return false;
+    goto free_buffer;
   }
 
   sprintf(buf, "%u", (unsigned int)level);
 
   if (!write_string(fd, buf))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, "\" autorun=\""))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, running ? "true" : "false"))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, "\">"))
   {
-    return false;
+    goto free_buffer;
   }
 
-  if (!write_string(fd, command))
+  unescaped_string = command;
+  escaped_string = escaped_buffer;
+  escape(&unescaped_string, &escaped_string);
+  *escaped_string = 0;
+  if (!write_string(fd, escaped_buffer))
   {
-    return false;
+    goto free_buffer;
   }
 
   if (!write_string(fd, "</application>\n"))
   {
-    return false;
+    goto free_buffer;
   }
 
-  return true;
+  ret = true;
+
+free_buffer:
+  free(escaped_buffer);
+
+exit:
+  return ret;
 }
 
 #undef indent
diff --git a/daemon/escape.c b/daemon/escape.c
index c6218667..b6b32545 100644
--- a/daemon/escape.c
+++ b/daemon/escape.c
@@ -46,6 +46,8 @@ void escape(const char ** src_ptr, char ** dst_ptr)
     case '<':               /* invalid attribute value char (XML spec) */
     case '&':               /* invalid attribute value char (XML spec) */
     case '"':               /* we store attribute values in double quotes - invalid attribute value char (XML spec) */
+    case '\'':
+    case '>':
     case '%':
       dst[0] = '%';
       dst[1] = hex_digits[*src >> 4];