X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_httpd_stats.cpp;h=e17bf514f0835d494e57f60074bd5e30b009a55a;hb=a5d110282a864fd2e91b51ce360a977cd0643657;hp=077bc4f2d88839996e5c26cbff7b29a043558084;hpb=84a1569cd60daa64b1ae52a1fff62c0dc4d78850;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_httpd_stats.cpp b/src/modules/m_httpd_stats.cpp
index 077bc4f2d..e17bf514f 100644
--- a/src/modules/m_httpd_stats.cpp
+++ b/src/modules/m_httpd_stats.cpp
@@ -55,14 +55,22 @@ class ModuleHttpStats : public Module
 				ret += it->second;
 				ret += ';';
 			}
-			else if (*x < 32 || *x > 126)
+			else if (*x == 0x09 ||  *x == 0x0A || *x == 0x0D || ((*x >= 0x20) && (*x <= 0x7e)))
 			{
-				int n = (unsigned char)*x;
-				ret += ("&#" + ConvToStr(n) + ";");
+				// The XML specification defines the following characters as valid inside an XML document:
+				// Char ::= #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
+				ret += *x;
 			}
 			else
 			{
-				ret += *x;
+				// If we reached this point then the string contains characters which can
+				// not be represented in XML, even using a numeric escape. Therefore, we
+				// Base64 encode the entire string and wrap it in a CDATA.
+				ret.clear();
+				ret += "<![CDATA[";
+				ret += BinToBase64(str);
+				ret += "]]>";
+				break;
 			}
 		}
 		return ret;
@@ -145,7 +153,7 @@ class ModuleHttpStats : public Module
 					Channel* c = a->second;
 
 					data << "<channel>";
-					data << "<usercount>" << c->GetUsers()->size() << "</usercount><channelname>" << c->name << "</channelname>";
+					data << "<usercount>" << c->GetUsers()->size() << "</usercount><channelname>" << Sanitize(c->name) << "</channelname>";
 					data << "<channeltopic>";
 					data << "<topictext>" << Sanitize(c->topic) << "</topictext>";
 					data << "<setby>" << Sanitize(c->setby) << "</setby>";
@@ -205,7 +213,7 @@ class ModuleHttpStats : public Module
 					data << "<server>";
 					data << "<servername>" << b->servername << "</servername>";
 					data << "<parentname>" << b->parentname << "</parentname>";
-					data << "<gecos>" << b->gecos << "</gecos>";
+					data << "<gecos>" << Sanitize(b->gecos) << "</gecos>";
 					data << "<usercount>" << b->usercount << "</usercount>";
 // This is currently not implemented, so, commented out.
 //					data << "<opercount>" << b->opercount << "</opercount>";