From dfecd574a87d7bcf5645ff03d78db49f11ca4c94 Mon Sep 17 00:00:00 2001
From: Jean-Francois Dockes <jfd@recoll.org>
Date: Fri, 27 Jul 2012 09:00:45 +0200
Subject: [PATCH] Escape html characters in fields before inserting them in
 result paragraph. Closes issue #99

---
 src/query/reslistpager.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/query/reslistpager.cpp b/src/query/reslistpager.cpp
index 59a6a09e..2fc26fd1 100644
--- a/src/query/reslistpager.cpp
+++ b/src/query/reslistpager.cpp
@@ -238,7 +238,7 @@ void ResListPager::displayDoc(RclConfig *config,
 	chunk << "<p style='margin: 0px;padding: 0px;clear: both;'>";
 
     // Configurable stuff
-    map<string,string> subs;
+    map<string, string> subs;
     subs["A"] = !richabst.empty() ? richabst : "";
     subs["D"] = datebuf;
     subs["I"] = iconurl;
@@ -254,8 +254,12 @@ void ResListPager::displayDoc(RclConfig *config,
     subs["t"] = escapeHtml(doc.meta[Rcl::Doc::keytt]);
     subs["U"] = url;
 
-    // Let %(xx) access all metadata.
-    subs.insert(doc.meta.begin(), doc.meta.end());
+    // Let %(xx) access all metadata. HTML-neuter everything:
+    for (map<string,string>::iterator it = doc.meta.begin(); 
+	 it != doc.meta.end(); it++) {
+	if (!it->first.empty()) 
+	    subs[it->first] = escapeHtml(it->second);
+    }
 
     string formatted;
     pcSubst(parFormat(), formatted, subs);