[xiphos-source] [crosswire/xiphos] 9288b2: fix: escape HTML content before embedding in JavaS...
Devon Kirk
noreply at github.com
Fri Jun 19 07:02:38 EDT 2026
Branch: refs/heads/master
Home: https://github.com/crosswire/xiphos
Commit: 9288b260d1051345551d49ac92a17f84cf528996
https://github.com/crosswire/xiphos/commit/9288b260d1051345551d49ac92a17f84cf528996
Author: Devon Kirk <67167176+hyder365 at users.noreply.github.com>
Date: 2026-06-19 (Fri, 19 Jun 2026)
Changed paths:
M src/editor/editor.c
Log Message:
-----------
fix: escape HTML content before embedding in JavaScript string in editor_insert_html (#1329)
editor_insert_html() embeds user-controlled HTML (e.g. the link text from
the link dialog) into a JavaScript string literal that is then executed via
webkit_web_view_execute_script():
document.execCommand('insertHTML', null, '%s');
Neither single quotes nor backslashes were escaped, so a single quote in the
input broke out of the JS string and allowed arbitrary script execution in
the editor's WebKit context.
Escape the content with g_strescape() before embedding. g_strescape()
escapes backslashes, double quotes and control characters, but it does NOT
escape single quotes -- so the JS string literal is changed from
single-quoted to double-quoted to match what g_strescape() actually escapes.
This blocks both ' and " breakout while preserving legitimate HTML markup
(e.g. quoted href attributes).
Co-authored-by: Devon Kirk <hyder365 at users.noreply.github.com>
To unsubscribe from these emails, change your notification settings at https://github.com/crosswire/xiphos/settings/notifications
More information about the xiphos-source
mailing list