mod_ldap: HTML-escape ldap-status handler.

Reported by Chamal De Silva.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913855 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 9 insertions, 7 deletions

diff --git a/changes-entries/ldap_status.txt b/changes-entries/ldap_status.txt
new file mode 100644
index 0000000000..94f352d908
--- /dev/null
+++ b/changes-entries/ldap_status.txt
@@ -0,0 +1,2 @@
+  *) mod_ldap: HTML-escape data in the ldap-status handler.
+     [Eric Covener, Chamal De Silva]
diff --git a/modules/ldap/util_ldap_cache.c b/modules/ldap/util_ldap_cache.c
index 6a944daa84..7042878903 100644
--- a/modules/ldap/util_ldap_cache.c
+++ b/modules/ldap/util_ldap_cache.c
@@ -230,8 +230,8 @@ void util_ldap_search_node_display(request_rec *r, util_ald_cache_t *cache, void
                "<td nowrap>%s</td>"
                "<td nowrap>%s</td>"
                "</tr>",
-               node->username,
-               node->dn,
+               ap_escape_html(r->pool, node->username),
+               ap_escape_html(r->pool, node->dn),
                date_str);
 }
 
@@ -331,9 +331,9 @@ void util_ldap_compare_node_display(request_rec *r, util_ald_cache_t *cache, voi
                "<td nowrap>%s</td>"
                "<td nowrap>%s</td>"
                "</tr>",
-               node->dn,
-               node->attrib,
-               node->value,
+               ap_escape_html(r->pool, node->dn),
+               ap_escape_html(r->pool, node->attrib),
+               ap_escape_html(r->pool, node->value),
                date_str,
                cmp_result,
                sub_groups_val,
@@ -391,8 +391,8 @@ void util_ldap_dn_compare_node_display(request_rec *r, util_ald_cache_t *cache,
                "<td nowrap>%s</td>"
                "<td nowrap>%s</td>"
                "</tr>",
-               node->reqdn,
-               node->dn);
+               ap_escape_html(r->pool, node->reqdn),
+               ap_escape_html(r->pool, node->dn));
 }