Ensure that spaces are quoted when converting links

* src/convert.c(convert_links): Print the actual quoted newname when printing DEBUG output (local_quote_string): Also quote the ' ' charcter as %20. While it is okay to leave the characted as-is, quoting it covers more edge cases. And it should resolve a >10 year old bug with CSS url() parameters not being quoted Bug-Id: 64082 Reported-By: Ethan Gibbs <ethan@snowsign.net> Discussed-At: https://stackoverflow.com/q/13300017
2025-03-14 03:40:15 +08:00 · 2023-05-16 18:33:40 +02:00 · 2023-05-16 18:33:40 +02:00 · fbbdf9ea01
commit fbbdf9ea01
parent 5409cbcee2
1 changed files with 14 additions and 5 deletions
--- a/src/convert.c
+++ b/src/convert.c
@ -321,7 +321,7 @@ convert_links (const char *file, struct urlpos *links)
                                             link->refresh_timeout);

            DEBUGP (("TO_RELATIVE: %s to %s at position %d in %s.\n",
-                     link->url->url, newname, link->pos, file));
+                     link->url->url, quoted_newname, link->pos, file));

            xfree (newname);
            xfree (quoted_newname);
@ -342,7 +342,7 @@ convert_links (const char *file, struct urlpos *links)
                                             link->refresh_timeout);

            DEBUGP (("Converted file part only: %s to %s at position %d in %s.\n",
-                     link->url->url, newname, link->pos, file));
+                     link->url->url, quoted_newname, link->pos, file));

            xfree (newname);
            xfree (quoted_newname);
@ -365,7 +365,7 @@ convert_links (const char *file, struct urlpos *links)
                                             link->refresh_timeout);

            DEBUGP (("TO_COMPLETE: <something> to %s at position %d in %s.\n",
-                     newlink, link->pos, file));
+                     quoted_newlink, link->pos, file));

            xfree (quoted_newlink);
            ++to_url_count;
@ -731,7 +731,11 @@ find_fragment (const char *beg, int size, const char **bp, const char **ep)
   safe for both local and HTTP-served browsing.

   We always quote "#" as "%23", "%" as "%25" and ";" as "%3B"
-   because those characters have special meanings in URLs.  */
+   because those characters have special meanings in URLs.
+
+   Additionally we always quote ' ' as "%20" since not quoting it
+   is illegal in CSS url()s and quoting it should not harm any
+   local browsing.  */

 static char *
 local_quote_string (const char *file, bool no_html_quote)
@ -741,7 +745,7 @@ local_quote_string (const char *file, bool no_html_quote)
  char buf[1024];
  size_t tolen;

-  char *any = strpbrk (file, "?#%;");
+  char *any = strpbrk (file, "?#%; ");
  if (!any)
    return no_html_quote ? strdup (file) : html_quote_string (file);

@ -771,6 +775,11 @@ local_quote_string (const char *file, bool no_html_quote)
        *to++ = '3';
        *to++ = 'B';
        break;
+      case ' ':
+        *to++ = '%';
+        *to++ = '2';
+        *to++ = '0';
+        break;
      case '?':
        if (opt.adjust_extension)
          {