From 76368ed3e538b8cc700b1c4c0443382b6e71078c Mon Sep 17 00:00:00 2001
From: Robert Paprocki <robert@cryptobells.com>
Date: Wed, 22 Feb 2017 20:48:57 -0800
Subject: [PATCH] Handle html_decode through lua-resty-htmlentities

FFI ftw.

This fixes issue #262.
---
 .gitmodules                 |  3 +++
 Makefile                    | 37 ++++++++++++++++++++++++++++---------
 lib/resty/waf/transform.lua | 11 ++++-------
 lua-resty-htmlentities      |  1 +
 4 files changed, 36 insertions(+), 16 deletions(-)
 create mode 160000 lua-resty-htmlentities

diff --git a/.gitmodules b/.gitmodules
index fb5c1594..cbc03ce2 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,3 +4,6 @@
 [submodule "lua-aho-corasick"]
 	path = lua-aho-corasick
 	url = https://github.com/p0pr0ck5/lua-aho-corasick
+[submodule "lua-resty-htmlentities"]
+	path = lua-resty-htmlentities
+	url = https://github.com/detailyang/lua-resty-htmlentities
diff --git a/Makefile b/Makefile
index 4bcf2c35..3a1e848c 100644
--- a/Makefile
+++ b/Makefile
@@ -7,32 +7,39 @@ OPM               = $(RESTY_BINDIR)/opm
 OPM_LIB_DIR      ?= $(OPENRESTY_PREFIX)/site
 PWD               = `pwd`
 
-LIBS       = waf waf.lua
-C_LIBS     = lua-aho-corasick libinjection
-OPM_LIBS   = hamishforbes/lua-resty-iputils p0pr0ck5/lua-resty-cookie p0pr0ck5/lua-ffi-libinjection p0pr0ck5/lua-resty-logger-socket
+LIBS       = waf waf.lua htmlentities.lua
+C_LIBS     = lua-aho-corasick lua-resty-htmlentities libinjection
+OPM_LIBS   = hamishforbes/lua-resty-iputils p0pr0ck5/lua-resty-cookie \
+	p0pr0ck5/lua-ffi-libinjection p0pr0ck5/lua-resty-logger-socket
 MAKE_LIBS  = $(C_LIBS)
-SO_LIBS    = libac.so libinjection.so
+SO_LIBS    = libac.so libinjection.so libhtmlentities.so
 RULES      = rules
 
 LOCAL_LIB_DIR = lib/resty
 
 .PHONY: all test install clean test-unit test-acceptance test-regression \
-test-translate lua-aho-corasick libinjection clean-libinjection \
-clean-lua-aho-corasick install-opm-libs clean-opm-libs
+test-translate lua-aho-corasick lua-resty-htmlentities libinjection \
+clean-libinjection clean-lua-aho-corasick install-opm-libs clean-opm-libs
 
 all: $(MAKE_LIBS) debug-macro
 
-clean: clean-libinjection clean-lua-aho-corasick clean-libs clean-test clean-debug-macro
+clean: clean-libinjection clean-lua-aho-corasick clean-lua-resty-htmlentities \
+	clean-libs clean-test clean-debug-macro
 
 clean-debug-macro:
 	./tools/debug-macro.sh clean
 
 clean-install: clean-opm-libs
-	cd $(LUA_LIB_DIR) && rm -rf $(RULES) && rm -f $(SO_LIBS) && cd resty/ && rm -rf $(LIBS)
+	cd $(LUA_LIB_DIR) && rm -rf $(RULES) && rm -f $(SO_LIBS) && cd resty/ && \
+		rm -rf $(LIBS)
 
 clean-lua-aho-corasick:
 	cd lua-aho-corasick && make clean
 
+clean-lua-resty-htmlentities:
+	cd lua-resty-htmlentities && make clean
+	rm -f lib/resty/htmlentities.lua
+
 clean-libinjection:
 	cd libinjection && make clean && git checkout -- .
 
@@ -51,6 +58,11 @@ debug-macro:
 lua-aho-corasick:
 	cd lua-aho-corasick && make && cp libac.so ../lib/
 
+lua-resty-htmlentities:
+	cd $@ && make
+	cp $@/lib/resty/htmlentities.lua lib/resty
+	cp $@/libhtmlentities.so lib/
+
 libinjection:
 	cd libinjection && make && cp src/libinjection.so ../lib/
 
@@ -69,9 +81,16 @@ test-translate:
 test-lua-aho-corasick:
 	cd lua-aho-corasick && make test
 
+test-lua-resty-htmlentities:
+	cd lua-resty-htmlentities && make test
+
+test-libinjection:
+	cd libinjection && make check
+
 test: clean all test-unit test-acceptance test-regression test-translate
 
-test-libs: clean all test-lua-aho-corasick test-libinjection
+test-libs: clean all test-lua-aho-corasick test-lua-resty-htmlentities \
+	test-libinjection
 
 test-recursive: test test-libs
 
diff --git a/lib/resty/waf/transform.lua b/lib/resty/waf/transform.lua
index cdf0c4f2..25f1af84 100644
--- a/lib/resty/waf/transform.lua
+++ b/lib/resty/waf/transform.lua
@@ -1,6 +1,7 @@
 local _M = {}
 
 local base   = require "resty.waf.base"
+local hdec   = require "resty.htmlentities"
 local logger = require "resty.waf.log"
 local util   = require "resty.waf.util"
 
@@ -13,6 +14,8 @@ local string_sub   = string.sub
 
 _M.version = base.version
 
+hdec.new() -- load the module on require
+
 local function ascii_dec(n)
 	return string_char(tonumber(string_sub(n, 3, -2)))
 end
@@ -58,13 +61,7 @@ _M.lookup = {
 		return util.hex_encode(value)
 	end,
 	html_decode = function(waf, value)
-		local str = string_gsub(value, [=[&lt;]=], '<')
-		str = string_gsub(str, [=[&gt;]=], '>')
-		str = string_gsub(str, [=[&quot;]=], '"')
-		str = string_gsub(str, [=[&apos;]=], "'")
-		str = string_gsub(str, [=[&#%d+;]=], ascii_dec)
-		str = string_gsub(str, [=[&#x%d+;]=], ascii_hex)
-		str = string_gsub(str, [=[&amp;]=], '&')
+		local str = hdec.decode(value)
 		--_LOG_"html decoded value is " .. str
 		return str
 	end,
diff --git a/lua-resty-htmlentities b/lua-resty-htmlentities
new file mode 160000
index 00000000..b1c01a9f
--- /dev/null
+++ b/lua-resty-htmlentities
@@ -0,0 +1 @@
+Subproject commit b1c01a9f3df7744c752b7486f752a07eb9cb9f9b