[empathy] theme_adium_append_message: escape alias before displaying it
- From: Guillaume Desmottes <gdesmott src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [empathy] theme_adium_append_message: escape alias before displaying it
- Date: Tue, 18 Oct 2011 16:43:25 +0000 (UTC)
commit 739aca418457de752be13721218aaebc74bd9d36
Author: Guillaume Desmottes <guillaume desmottes collabora co uk>
Date: Tue Oct 18 18:32:52 2011 +0200
theme_adium_append_message: escape alias before displaying it
Not doing so can lead to nasty HTML injection from hostile users.
https://bugzilla.gnome.org/show_bug.cgi?id=662035
libempathy-gtk/empathy-theme-adium.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index 42c0914..66b0320 100644
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -782,7 +782,7 @@ theme_adium_append_message (EmpathyChatView *view,
EmpathyContact *sender;
TpMessage *tp_msg;
TpAccount *account;
- gchar *body_escaped;
+ gchar *body_escaped, *name_escaped;
const gchar *name;
const gchar *contact_id;
EmpathyAvatar *avatar;
@@ -947,8 +947,10 @@ theme_adium_append_message (EmpathyChatView *view,
}
}
+ name_escaped = g_markup_escape_text (name, -1);
+
theme_adium_append_html (theme, func, html, body_escaped,
- avatar_filename, name, contact_id,
+ avatar_filename, name_escaped, contact_id,
service_name, message_classes->str,
timestamp, is_backlog, empathy_contact_is_user (sender));
@@ -961,6 +963,7 @@ theme_adium_append_message (EmpathyChatView *view,
priv->last_is_backlog = is_backlog;
g_free (body_escaped);
+ g_free (name_escaped);
g_string_free (message_classes, TRUE);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]