html-escapes user given expression when filling hidden field "expression"

in this way xml/html forbidden characters like "<" are converted to "&lt;"
and doesn't crash uwobo

diff --git a/helm/searchEngine/searchEngine.ml b/helm/searchEngine/searchEngine.ml
index d262029ed55f5d2d6fe1293f8653631953e0588d..341ace5cc625a6200fa9f2a51af66e31bc4fbaec 100644 (file)
--- a/helm/searchEngine/searchEngine.ml
+++ b/helm/searchEngine/searchEngine.ml
@@ -135,6 +135,9 @@ let patch_param param_name param_value url =
   else
     sprintf "%s&%s=%s" url param_name param_value
 
+  (** HTML encoding, e.g.: "<" -> "&lt;" *)
+let html_encode = Netencoding.Html.encode_from_latin1
+
 let send_results results
   ?(id_to_uris = CicTextualParser2.EnvironmentP3.of_string "") 
    (req: Http_types.request) outchan
@@ -197,7 +200,7 @@ let send_results results
   let subst =
     (tag "SEARCH_ENGINE_URL", my_own_url) ::
     (tag "ADVANCED", advanced) ::
-    (tag "EXPRESSION", req#param "expression") ::
+    (tag "EXPRESSION", html_encode (req#param "expression")) ::
     add_param_substs req#params @
     (if advanced = "no" then
       [ tag "SIMPLE_CHECKED", "checked='true'";
@@ -293,7 +296,7 @@ let exec_action dbd (req: Http_types.request) outchan =
                        tag "ADVANCED", advanced;
                        tag "INTERPRETATIONS", html_interpretations;
                        tag "CURRENT_CHOICES", req#param "choices";
-                       tag "EXPRESSION", req#param "expression";
+                       tag "EXPRESSION", html_encode (req#param "expression");
                        tag "QUERY_KIND", query_kind;
                        tag "QUERY_SUMMARY", "disambiguation";
                        tag "ACTION", string_tail req#path ]
@@ -311,6 +314,7 @@ let exec_action dbd (req: Http_types.request) outchan =
   in
   let module Disambiguate' = Disambiguate.Make(Chat) in
   let ast = CicTextualParser2.parse_term (Stream.of_string term_str) in
+  prerr_endline "prima della disambiguazione";
   let (id_to_uris, metasenv, term) =
     match
       Disambiguate'.disambiguate_term dbd context metasenv ast id_to_uris
@@ -318,6 +322,7 @@ let exec_action dbd (req: Http_types.request) outchan =
     | [id_to_uris,metasenv,term,_] -> id_to_uris,metasenv,term
     | _ -> assert false
   in
+  prerr_endline "dopo la disambiguazione";
   let uris =
     match req#path with
     | "/match" -> MetadataQuery.match_term ~dbd term