[epiphany/mcatanzaro/#1612: 5/14] about-handler: properly encode web app info in about:applications
- From: Marge Bot <marge-bot src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/mcatanzaro/#1612: 5/14] about-handler: properly encode web app info in about:applications
- Date: Wed, 15 Dec 2021 19:45:45 +0000 (UTC)
commit 23385ab95fa6771e8e6145682854c960f03af554
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Tue Dec 14 16:44:36 2021 -0600
about-handler: properly encode web app info in about:applications
The web app has some partial control over its title, and full control
over its URL. Let's be careful here to ensure the web app info cannot be
used to execute code.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
embed/ephy-about-handler.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/embed/ephy-about-handler.c b/embed/ephy-about-handler.c
index aecb50731..ee169e40a 100644
--- a/embed/ephy-about-handler.c
+++ b/embed/ephy-about-handler.c
@@ -264,19 +264,37 @@ handle_applications_finished_cb (EphyAboutHandler *handler,
for (p = applications; p; p = p->next) {
EphyWebApplication *app = (EphyWebApplication *)p->data;
+ g_autofree char *html_encoded_id = NULL;
+ g_autofree char *encoded_icon_url = NULL;
+ g_autofree char *encoded_name = NULL;
+ g_autofree char *encoded_url = NULL;
+ g_autofree char *js_encoded_id = NULL;
+ g_autofree char *encoded_install_date = NULL;
if (ephy_web_application_is_system (app))
continue;
+ /* Most of these fields are untrusted. The web app suggests its own title,
+ * which gets used in the app ID and icon URL. The main URL could contain
+ * anything. Install date is the only trusted field here in that it's
+ * constructed by Epiphany, but it's a freeform string and we're encoding
+ * everything else here anyway, so might as well encode this too.
+ */
+ html_encoded_id = ephy_encode_for_html_attribute (app->id);
+ encoded_icon_url = ephy_encode_for_html_attribute (app->icon_url);
+ encoded_name = ephy_encode_for_html_entity (app->name);
+ encoded_url = ephy_encode_for_html_entity (app->url);
+ js_encoded_id = ephy_encode_for_javascript (app->id);
+ encoded_install_date = ephy_encode_for_html_entity (app->install_date);
g_string_append_printf (data_str,
"<tbody><tr id =\"%s\">"
"<td class=\"icon\"><img width=64 height=64 src=\"file://%s\"></img></td>"
"<td class=\"data\"><div class=\"appname\">%s</div><div
class=\"appurl\">%s</div></td>"
"<td class=\"input\"><input type=\"button\" value=\"%s\"
onclick=\"deleteWebApp('%s');\"></td>"
"<td class=\"date\">%s <br /> %s</td></tr></tbody>",
- app->id, app->icon_url, app->name, app->url, _("Delete"), app->id,
+ html_encoded_id, encoded_icon_url, encoded_name, encoded_url, _("Delete"),
js_encoded_id,
/* Note for translators: this refers to the installation date. */
- _("Installed on:"), app->install_date);
+ _("Installed on:"), encoded_install_date);
}
g_string_append (data_str, "</table></div></body></html>");
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]