From ec8564ba97a9ee8526a109f5799c77eed5b99f7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Thu, 19 Dec 2019 17:24:39 +0100
Subject: Escape attribute values when building link headers

---
 src/cow_link.erl | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cow_link.erl b/src/cow_link.erl
index 4cf24c2..3a9526c 100644
--- a/src/cow_link.erl
+++ b/src/cow_link.erl
@@ -363,10 +363,15 @@ do_link(#{target := TargetURI, rel := Rel, attributes := Params}) ->
 	[
 		$<, TargetURI, <<">"
 		"; rel=\"">>, Rel, $",
-		[[<<"; ">>, Key, <<"=\"">>, Value, $"]
+		[[<<"; ">>, Key, <<"=\"">>, escape(Value, <<>>), $"]
 			|| {Key, Value} <- Params]
 	].
 
+escape(<<>>, Acc) -> Acc;
+escape(<<$\\,R/bits>>, Acc) -> escape(R, <<Acc/binary,$\\,$\\>>);
+escape(<<$\",R/bits>>, Acc) -> escape(R, <<Acc/binary,$\\,$\">>);
+escape(<<C,R/bits>>, Acc) -> escape(R, <<Acc/binary,C>>).
+
 -ifdef(TEST).
 link_test_() ->
 	Tests = [
@@ -420,6 +425,15 @@ link_test_() ->
 				rel => <<"index">>,
 				attributes => []
 			}
+		]},
+		{<<"</>; rel=\"previous\"; quoted=\"name=\\\"value\\\"\"">>, [
+			#{
+				target => <<"/">>,
+				rel => <<"previous">>,
+				attributes => [
+					{<<"quoted">>, <<"name=\"value\"">>}
+				]
+			}
 		]}
 	],
 	[{iolist_to_binary(io_lib:format("~0p", [V])),
-- 
cgit v1.2.3