[xiphos-source] [crosswire/xiphos] 0459c4: fix: escape ampersand and apostrophe in annotation...
Devon Kirk
noreply at github.com
Fri Jun 19 07:01:45 EDT 2026
Branch: refs/heads/master
Home: https://github.com/crosswire/xiphos
Commit: 0459c4feed200442c1c1d3e4f384f7393a5746a0
https://github.com/crosswire/xiphos/commit/0459c4feed200442c1c1d3e4f384f7393a5746a0
Author: Devon Kirk <67167176+hyder365 at users.noreply.github.com>
Date: 2026-06-19 (Fri, 19 Jun 2026)
Changed paths:
M src/main/display.cc
Log Message:
-----------
fix: escape ampersand and apostrophe in annotation content to prevent stored XSS (#1330)
The annotation rendering code only replaced <, >, \n, and " with HTML
entities. The ampersand was not escaped, enabling an entity encoding
bypass: an attacker could enter e.g. < which libxml2 would store as
< and decode back to < on retrieval, allowing arbitrary HTML
injection. Add & (must be first to prevent double-encoding) and
apostrophe for defense in depth.
Co-authored-by: Devon Kirk <hyder365 at users.noreply.github.com>
To unsubscribe from these emails, change your notification settings at https://github.com/crosswire/xiphos/settings/notifications
More information about the xiphos-source
mailing list