vmg / houdini Goto Github PK

The Escapist

License: MIT License

Makefile 4.31% C 95.69%

houdini's Introduction

Houdini - The Escapist

Houdini doesn't quite qualify as a library. In fact, I didn't even bother to write a Makefile (well, others did). It's zero-dependency and modular. Just stick the files you need in your project. Or go with all of them (e.g. via git submodule) and use the static library that is built by default when GNU make is invoked. Now you can freely escape some shit.

Houdini is a simple API for escaping text for the web. And unescaping it. But that kind of breaks the joke in the name so nevermind.

HTML escaping follows the OWASP suggestion. All other entities are left as-is.

  & --> &amp;
  < --> &lt;
  > --> &gt;
  " --> &quot;
  ' --> &#x27;     &apos; is not recommended
  / --> &#x2F;     forward slash is included as it helps end an HTML entity

HTML unescaping is fully RFC-compliant. Yes, that's the 253 different entities for you, and decimal/hex code point specifiers.
URI escaping and unescaping is fully RFC-compliant.
URL escaping and unescaping is the same as generic URIs, but spaces are changed to +.

WARNING: Houdini parses only UTF-8 strings, and generates only UTF-8 strings. If you are using another encoding, you should probably transcode before passing the buffer to Houdini.

Current API:

Do you really need docs for this?

int houdini_escape_html(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure);
int houdini_unescape_html(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_xml(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_uri(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_url(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_href(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_unescape_uri(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_unescape_url(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_escape_js(gh_buf *ob, const uint8_t *src, size_t size);
int houdini_unescape_js(gh_buf *ob, const uint8_t *src, size_t size);

Pass your string. It'll get escaped/unescaped in the target buffer, and the call will return 1. If the given string has nothing to escape/unescape, the call will return 0 and the output buffer will be empty.

Questions?

Open an issue. Or shout angrily at me on Twitter (@vmg).

houdini's People

Contributors

Stargazers

Watchers

houdini's Issues

License

Hi Vincent,

could you add a license information to your project?
I hope it will be MIT (predominant Expat version), just for the greater good. :)

Thanks!

`houdini_unescape_url` for `%2B` returns whitespace (`0x20`) rather than `+` (`0x2b`)

While a literal + should be unescaped to a white space, an encoded + should be unescaped to a literal + and not a white space as is the current behaviour of houdini.

A quick demonstration:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "houdini.h"

int main(int argc, char* argv[])
{
    const uint8_t *escaped = (uint8_t *)"+%2B";
    gh_buf unescaped = GH_BUF_INIT;

    if (houdini_unescape_url(&unescaped, escaped, 4) == 0)
    {
        fprintf(stderr, "Expected the escaped string to be unescaped\n");
        return EXIT_FAILURE;
    }

    if (strcmp(gh_buf_cstr(&unescaped), " +") != 0)
    {
        fprintf(stderr, 
                "Expected the unescaped string to have a value of \" +\" but "
                "a value of \"%s\" was returned\n", 
                gh_buf_cstr(&unescaped));
        return EXIT_FAILURE;
    }

    return EXIT_SUCCESS;
}

The output as produced by $ clang -lhoudini test_plus.c -o test_plus -Wall -pedantic && ./test_plus under Mac OS X 10.8 with clang 4.0 (LLVM 3.1) with test_plus.c being the above source code:

$ clang -lhoudini test_plus.c -o test_plus -Wall -pedantic && ./test_plus
Expected the unescaped string to have a value of " +" but a value of "  " was returned

Is this behaviour intentional?

single quote escaping does not match readme and code comments

Houdini's README and comments say that ' is escaped to '. But the implementation escapes it to '.

This is currently causing trouble for us because underscore.js's _.unescape function expects the hex notation.

why is URI_SAFE[35] == 0 ?

should be 1, right?

Ramsalmgroup

Originally posted by @atencion12 in #7 (comment)

Javascript escaping not compatible with Rails

Hi,
I'm looking into a bug (brianmario/escape_utils#43) with the escape_utils gem, which relies on houdini.

The problem is that escape_utils relies on houdini's escape javascript function, which currently doesn't seem to be compatible with the typical Rails use-case.

The Rail's escape_javascript function currently escapes carriage returns and single and double quotes for JavaScript segments. The typical use case is something like this:

$('some_element').replaceWith('<%=escape_javascript render 'some/element_template' %>');

The HTML output of the render call is escaped so that it is valid as a Javascript string.

Is it possible to change the current houdini javascript escape function to behave similarly? Or add options so that a Rails-compatible javascript escape is exposed? This would fix the bug in escape_utils.

Or if not, can you explain what the typical use case is for the existing escape javascript function?

This should be merged. A shared library would be super useful for this.

Originally posted by @SevenBits in #7 (comment)