[libxml2] Revert "Do not URI escape in server side includes"

[Nick Wellnhofer <nwellnhof src gnome org>]

commit c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sat Aug 15 18:32:29 2020 +0200

    Revert "Do not URI escape in server side includes"
    
    This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
    
    This commit introduced
    
    - an infinite loop, found by OSS-Fuzz, which could be easily fixed.
    - an algorithm with quadratic runtime
    - a security issue, see
      https://bugzilla.gnome.org/show_bug.cgi?id=769760
    
    A better approach is to add an option not to escape URLs at all
    which libxml2 should have possibly done in the first place.

 HTMLtree.c | 49 +++++++++++--------------------------------------
 1 file changed, 11 insertions(+), 38 deletions(-)
---
diff --git a/HTMLtree.c b/HTMLtree.c
index 8d236bb35..cdb7f86a6 100644
--- a/HTMLtree.c
+++ b/HTMLtree.c
@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
                 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
                 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
                  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
+               xmlChar *escaped;
                xmlChar *tmp = value;
-               /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
-               xmlBufCCat(buf->buffer, "\"");
 
                while (IS_BLANK_CH(*tmp)) tmp++;
 
-               /* URI Escape everything, except server side includes. */
-               for ( ; ; ) {
-                   xmlChar *escaped;
-                   xmlChar endChar;
-                   xmlChar *end = NULL;
-                   xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
-                   if (start != NULL) {
-                       end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
-                       if (end != NULL) {
-                           *start = '\0';
-                       }
-                   }
-
-                   /* Escape the whole string, or until start (set to '\0'). */
-                   escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
-                   if (escaped != NULL) {
-                       xmlBufCat(buf->buffer, escaped);
-                       xmlFree(escaped);
-                   } else {
-                       xmlBufCat(buf->buffer, tmp);
-                   }
-
-                   if (end == NULL) { /* Everything has been written. */
-                       break;
-                   }
-
-                   /* Do not escape anything within server side includes. */
-                   *start = '<'; /* Restore the first character of "<!--". */
-                   end += 3; /* strlen("-->") */
-                   endChar = *end;
-                   *end = '\0';
-                   xmlBufCat(buf->buffer, start);
-                   *end = endChar;
-                   tmp = end;
+               /*
+                * the < and > have already been escaped at the entity level
+                * And doing so here breaks server side includes
+                */
+               escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
+               if (escaped != NULL) {
+                   xmlBufWriteQuotedString(buf->buffer, escaped);
+                   xmlFree(escaped);
+               } else {
+                   xmlBufWriteQuotedString(buf->buffer, value);
                }
-
-               xmlBufCCat(buf->buffer, "\"");
            } else {
                xmlBufWriteQuotedString(buf->buffer, value);
            }