[empathy/gnome-3-2] theme_adium_append_message: escape alias before displaying it



commit 7e6126e5936a049436b2c56a796279ed164c3595
Author: Guillaume Desmottes <guillaume desmottes collabora co uk>
Date:   Tue Oct 18 18:32:52 2011 +0200

    theme_adium_append_message: escape alias before displaying it
    
    Not doing so can lead to nasty HTML injection from hostile users.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=662035

 libempathy-gtk/empathy-theme-adium.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index 8ca83a9..8dfc07b 100644
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -782,7 +782,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	EmpathyContact        *sender;
 	TpMessage             *tp_msg;
 	TpAccount             *account;
-	gchar                 *body_escaped;
+	gchar                 *body_escaped, *name_escaped;
 	const gchar           *name;
 	const gchar           *contact_id;
 	EmpathyAvatar         *avatar;
@@ -949,8 +949,10 @@ theme_adium_append_message (EmpathyChatView *view,
 		}
 	}
 
+	name_escaped = g_markup_escape_text (name, -1);
+
 	theme_adium_append_html (theme, func, html, body_escaped,
-				 avatar_filename, name, contact_id,
+				 avatar_filename, name_escaped, contact_id,
 				 service_name, message_classes->str,
 				 timestamp, is_backlog, empathy_contact_is_user (sender));
 
@@ -963,6 +965,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	priv->last_is_backlog = is_backlog;
 
 	g_free (body_escaped);
+	g_free (name_escaped);
 	g_string_free (message_classes, TRUE);
 }
 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]