Merge of r4313:

Added escaping of double quotes in ngx_escape_html().

Patch by Zaur Abasmirzoev.

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 29f8e0d6717102dde157a2ff3ac9f225a887c133..f5e1d4bf3e2e37a80fca2f98ba4eb8fd5f165185 100644 (file)
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1657,6 +1657,10 @@ ngx_escape_html(u_char *dst, u_char *src, size_t size)
                 len += sizeof("&") - 2;
                 break;
 
+            case '"':
+                len += sizeof(""") - 2;
+                break;
+
             default:
                 break;
             }
@@ -1684,6 +1688,11 @@ ngx_escape_html(u_char *dst, u_char *src, size_t size)
             *dst++ = ';';
             break;
 
+        case '"':
+            *dst++ = '&'; *dst++ = 'q'; *dst++ = 'u'; *dst++ = 'o';
+            *dst++ = 't'; *dst++ = ';';
+            break;
+
         default:
             *dst++ = ch;
             break;