The display filter engine can return an error message that is not safe

when using GTK2 code for rendering the error. In order to correctly render the error message, it must be XML escaped. TODO: track down the remaining places where this XML escaping is required, and fix it there too (not sure if they exist though). svn path=/trunk/; revision=10764
2004-05-01 22:55:22 +00:00 · 2004-05-01 22:55:22 +00:00 · ec6f31bced
parent 2baed8579a
commit ec6f31bced
3 changed files with 31 additions and 6 deletions
--- a/file.c
+++ b/file.c
@ -1,7 +1,7 @@
 /* file.c
 * File I/O routines
 *
- * $Id: file.c,v 1.380 2004/05/01 15:15:07 ulfl Exp $
+ * $Id: file.c,v 1.381 2004/05/01 22:55:21 obiot Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -979,13 +979,18 @@ filter_packets(capture_file *cf, gchar *dftext, gboolean force)
    dftext = g_strdup(dftext);
    if (!dfilter_compile(dftext, &dfcode)) {
      /* The attempt failed; report an error. */
+      gchar *safe_dftext = simple_dialog_format_message(dftext);
+      gchar *safe_dfilter_error_msg = simple_dialog_format_message(
+	  dfilter_error_msg);
      simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, 
          "%s%s%s\n"
          "\n"
-          "The display filter \"%s\" is not a valid display filter.\n"
+          "The following display filter is not a valid display filter:\n%s\n"
          "See the help for a description of the display filter syntax.",
-          simple_dialog_primary_start(), dfilter_error_msg,
-          simple_dialog_primary_end(), dftext);
+          simple_dialog_primary_start(), safe_dfilter_error_msg,
+          simple_dialog_primary_end(), safe_dftext);
+      g_free(safe_dfilter_error_msg);
+      g_free(safe_dftext);
      g_free(dftext);
      return FALSE;
    }
--- a/gtk/simple_dialog.c
+++ b/gtk/simple_dialog.c
@ -1,7 +1,7 @@
 /* simple_dialog.c
 * Simple message dialog box routines.
 *
- * $Id: simple_dialog.c,v 1.31 2004/04/16 23:16:29 guy Exp $
+ * $Id: simple_dialog.c,v 1.32 2004/05/01 22:55:22 obiot Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -35,6 +35,8 @@
 #include "dlg_utils.h"
 #include "compat_macros.h"

+#include <epan/strutil.h>
+
 #include "image/stock_dialog_error_48.xpm"
 #include "image/stock_dialog_info_48.xpm"
 #include "image/stock_dialog_warning_48.xpm"
@ -326,3 +328,20 @@ char *
 simple_dialog_primary_end(void) {
    return PRIMARY_TEXT_END;
 }
+
+char *
+simple_dialog_format_message(const char *msg)
+{
+    char *str;
+
+    if (msg) {
+#if GTK_MAJOR_VERSION < 2
+	str = g_strdup(msg);
+#else
+	str = xml_escape(msg);
+#endif
+    } else {
+	str = NULL;
+    }
+    return str;
+}
--- a/simple_dialog.h
+++ b/simple_dialog.h
@ -2,7 +2,7 @@
 * Definitions for alert box routines with toolkit-independent APIs but
 * toolkit-dependent implementations.
 *
- * $Id: simple_dialog.h,v 1.12 2004/04/16 23:16:28 guy Exp $
+ * $Id: simple_dialog.h,v 1.13 2004/05/01 22:55:22 obiot Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -79,6 +79,7 @@ typedef void (* simple_dialog_cb_t) (gpointer dialog, gint btn, gpointer data);
 extern void simple_dialog_set_cb(gpointer dialog, simple_dialog_cb_t callback_fct, gpointer data);

 extern char *simple_dialog_primary_start(void);
+extern char *simple_dialog_format_message(const char *msg);
 extern char *simple_dialog_primary_end(void);

 /*