Add the escapehtml function to the expression API

Add the escapehtml function to the expression API, allowing to escape HTML
strings to guard against HTML injections.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926342 13f79535-47bb-0310-9956-ffa450edef68

Author: rpluem

changes-entries/escapehtml.txt

@@ -0,0 +1,2 @@
+ *) Add the escapehtml function to the expression API, allowing to escape HTML
+    strings to guard against HTML injections. [Ruediger Pluem]

docs/manual/expr.xml

@@ -605,6 +605,8 @@ DIGIT       ::= <any US-ASCII digit "0".."9">
         <td>replace(string, "from", "to") replaces all occurrences of "from"
             in the string with "to". The first parameter must not be a literal string.
             </td><td></td></tr>
+    <tr><td><code>escapehtml</code></td>
+        <td>Escape a HTML string</td><td></td></tr>
 
     </table>
 

server/util_expr_eval.c

@@ -1422,6 +1422,12 @@ static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
 }
 #endif
 
+static const char *escapehtml_func(ap_expr_eval_ctx_t *ctx, const void *data,
+                                   const char *arg)
+{
+    return ap_escape_html(ctx->p, arg);
+}
+
 static int replace_func_parse_arg(ap_expr_lookup_parms *parms)
 {
     const char *original = parms->arg;
@@ -2092,6 +2098,7 @@ static const struct expr_provider_single string_func_providers[] = {
     { ldap_func,            "ldap",           NULL, 0 },
 #endif
     { replace_func,         "replace",        replace_func_parse_arg, 0 },
+    { escapehtml_func,      "escapehtml",     NULL, 0 },
     { NULL, NULL, NULL}
 };