[epiphany/mcatanzaro/#1612: 5/14] about-handler: properly encode web app info in about:applications

[Marge Bot <marge-bot src gnome org>]

commit 23385ab95fa6771e8e6145682854c960f03af554
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue Dec 14 16:44:36 2021 -0600

    about-handler: properly encode web app info in about:applications
    
    The web app has some partial control over its title, and full control
    over its URL. Let's be careful here to ensure the web app info cannot be
    used to execute code.
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>

 embed/ephy-about-handler.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/embed/ephy-about-handler.c b/embed/ephy-about-handler.c
index aecb50731..ee169e40a 100644
--- a/embed/ephy-about-handler.c
+++ b/embed/ephy-about-handler.c
@@ -264,19 +264,37 @@ handle_applications_finished_cb (EphyAboutHandler       *handler,
 
     for (p = applications; p; p = p->next) {
       EphyWebApplication *app = (EphyWebApplication *)p->data;
+      g_autofree char *html_encoded_id = NULL;
+      g_autofree char *encoded_icon_url = NULL;
+      g_autofree char *encoded_name = NULL;
+      g_autofree char *encoded_url = NULL;
+      g_autofree char *js_encoded_id = NULL;
+      g_autofree char *encoded_install_date = NULL;
 
       if (ephy_web_application_is_system (app))
         continue;
 
+      /* Most of these fields are untrusted. The web app suggests its own title,
+       * which gets used in the app ID and icon URL. The main URL could contain
+       * anything. Install date is the only trusted field here in that it's
+       * constructed by Epiphany, but it's a freeform string and we're encoding
+       * everything else here anyway, so might as well encode this too.
+       */
+      html_encoded_id = ephy_encode_for_html_attribute (app->id);
+      encoded_icon_url = ephy_encode_for_html_attribute (app->icon_url);
+      encoded_name = ephy_encode_for_html_entity (app->name);
+      encoded_url = ephy_encode_for_html_entity (app->url);
+      js_encoded_id = ephy_encode_for_javascript (app->id);
+      encoded_install_date = ephy_encode_for_html_entity (app->install_date);
       g_string_append_printf (data_str,
                               "<tbody><tr id =\"%s\">"
                               "<td class=\"icon\"><img width=64 height=64 src=\"file://%s\"></img></td>"
                               "<td class=\"data\"><div class=\"appname\">%s</div><div 
class=\"appurl\">%s</div></td>"
                               "<td class=\"input\"><input type=\"button\" value=\"%s\" 
onclick=\"deleteWebApp('%s');\"></td>"
                               "<td class=\"date\">%s <br /> %s</td></tr></tbody>",
-                              app->id, app->icon_url, app->name, app->url, _("Delete"), app->id,
+                              html_encoded_id, encoded_icon_url, encoded_name, encoded_url, _("Delete"), 
js_encoded_id,
                               /* Note for translators: this refers to the installation date. */
-                              _("Installed on:"), app->install_date);
+                              _("Installed on:"), encoded_install_date);
     }
 
     g_string_append (data_str, "</table></div></body></html>");