From b686bc19649ce6e0b1b61f9da2634f8c8281f72c Mon Sep 17 00:00:00 2001
From: fyodor <fyodor@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 13 Jan 2008 22:13:53 +0000
Subject: [PATCH] We now escape newlines, carriage returns, and tabs (\n\r\t)
 in XML   output.  While those are allowed in XML attributes, they get  
 normalized which can make formatting the output difficult for   applications
 which parse Nmap XML. [Joao Medeiros, David, Fyodor]

---
 CHANGELOG |  5 +++++
 output.cc | 17 ++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 62a763231..c3b50c8d4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
+  output.  While those are allowed in XML attributes, they get
+  normalized which can make formatting the output difficult for
+  applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
+
 o Add Famtech Radmin remote control software probe and signatures to
   the Nmap version detection DB. [Tom Sellers, Fyodor]
 
diff --git a/output.cc b/output.cc
index 81184f64c..ef21b2027 100644
--- a/output.cc
+++ b/output.cc
@@ -794,6 +794,12 @@ char* formatScriptOutput(struct script_scan_result ssr) {
 }
 #endif /* NOLUA */
 
+
+/* Note that this escapes newlines, which is generally needed in
+   attributes to avoid parser normalization, but might not be needed
+   or desirable in XML content outside of attributes.  So if we find
+   some cases where we don't want \r\n\t escaped, we'll have to add a
+   parameter to control this. */
 char* xml_convert (const char* str) {
   char *temp, ch=0, prevch = 0, *p;
   int strl = strlen(str);
@@ -802,6 +808,15 @@ char* xml_convert (const char* str) {
   for (p = temp;(prevch = ch, ch = *str);str++) {
     char *a;
     switch (ch) {
+    case '\t':
+      a = "&#x9;";
+      break;
+    case '\r':
+      a = "&#xd;";
+      break;
+    case '\n':
+      a = "&#xa;";
+      break;
     case '<':
       a = "&lt;";
       break;
@@ -1632,7 +1647,7 @@ void printosscanoutput(Target *currenths) {
 				 currenths->v4hostip(), distance, currenths->MACAddress(),
 				 FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
 				 false));
-    log_write(LOG_XML,"<osfingerprint fingerprint=\"\n%s\" />\n", xml_osfp);
+    log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp);
     free(xml_osfp);
   }