[empathy] Escape what is put inside <a> tags

[Xavier Claessens <xclaesse src gnome org>]

commit 2d9bbb26709398a1211312306ce5bee4b639f2a3
Author: Gustavo Noronha Silva <gustavo noronha collabora co uk>
Date:   Tue Nov 24 15:28:59 2009 -0200

    Escape what is put inside <a> tags
    
    We should be careful here, and make sure whatever is put enclosed by
    <a> tags is correctly encoded. What caused bug #597049 is that what
    was being liked to looked like a tag, so the browser ignored it, but
    this is potentially a security vulnerability.
    
    Bug #597049

 libempathy-gtk/empathy-theme-adium.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)
---
diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index a702ded..2e88ec1 100644
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -228,12 +228,19 @@ theme_adium_replace_link (const gchar *text,
 {
 	GString *string = user_data;
 	gchar *real_url;
+	gchar *str;
 
 	/* Append the link inside <a href=""></a> tag */
 	real_url = empathy_make_absolute_url_len (text, len);
 
 	g_string_append_printf (string, "<a href=\"%s\">", real_url);
-	g_string_append_len (string, text, len);
+
+	/* The thing we are making a link of may contain
+	 * characters which need escaping */
+	str = g_markup_escape_text (text, len);
+	g_string_append (string, str);
+	g_free (str);
+
 	g_string_append (string, "</a>");
 
 	g_free (real_url);