Prevent XSS with action parameter

WorkerThread.cpp

@@ -244,7 +244,7 @@ void CWorkerThread::ProcessRequest(CClient *client, FCGIRequest *req)
 
 			if( tid==0 )
 			{
-				std::string error="Error: Unknown action ["+iter2->second+"]";
+				std::string error="Error: Unknown action ["+ EscapeHTML(iter2->second)+"]";
 				Server->Log(error, LL_WARNING);
 				try
 				{

httpserver/HTTPAction.cpp

@@ -99,7 +99,7 @@ void CHTTPAction::operator()(void)
 
 	if( tid==0 )
 	{
-		std::string error="Error: Unknown action ["+name+"]";
+		std::string error="Error: Unknown action ["+EscapeHTML(name)+"]";
 		Server->Log(error, LL_WARNING);
 		output->Write("Content-type: text/html; charset=UTF-8\r\n\r\n"+error);
 	}

stringtools.cpp

@@ -1198,6 +1198,24 @@ std::string UnescapeHTML(const std::string &html)
 	ret=greplace(">", ">", ret);
 	ret=greplace(""", "\"", ret);
 	ret=greplace("'", "'", ret);
+	ret = greplace("&#x2F", "/", ret);
+	return ret;
+}
+
+std::string EscapeHTML(const std::string & html)
+{
+	std::string ret;
+	ret.reserve(html.size());
+	for (size_t i = 0; i < html.size(); ++i)
+	{
+		if (html[i] == '<') ret += "&lt;";
+		else if (html[i] == '>') ret += "&gt;";
+		else if (html[i] == '&') ret += "&amp;";
+		else if (html[i] == '\"') ret += "&quot;";
+		else if (html[i] == '\'') ret += "&#x27;";
+		else if (html[i] == '/') ret += "&#x2F";
+		else ret += html[i];
+	}
 	return ret;
 }
 

stringtools.h

@@ -75,6 +75,7 @@ std::string trim(const std::string &str);
 void replaceNonAlphaNumeric(std::string &str, char rch);
 std::string conv_filename(std::string fn);
 std::string UnescapeHTML(const std::string &html);
+std::string EscapeHTML(const std::string &html);
 std::string PrettyPrintBytes(_i64 bytes);
 std::string PrettyPrintSpeed(size_t bps);
 std::string PrettyPrintTime(int64 ms);