diff options
| author | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-14 16:47:00 -0600 |
|---|---|---|
| committer | Marge Bot <marge-bot@gnome.org> | 2021-12-15 19:45:42 +0000 |
| commit | d02518606ef365e42d60c2154759f8005fecbbe3 (patch) | |
| tree | 58d29a9b1fc9c9003ac44ad956c56d1df788b140 /embed | |
| parent | 6a6799b7e6c690d14dc5a669f79be58ce52a952d (diff) | |
| download | epiphany-d02518606ef365e42d60c2154759f8005fecbbe3.tar.gz | |
view-source-handler: encode data passed to highlight.js
The actual data here should be good already because it gets escaped by
GLib, but this function is really designed for use in XML, so let's
switch to the simpler Epiphany function designed for anti-XSS to make it
more clear what's going on here.
The URL is probably vulnerable, though, since a malicious URL could
conceivably try to escape the HTML entity context. Encode that.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
Diffstat (limited to 'embed')
| -rw-r--r-- | embed/ephy-view-source-handler.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/embed/ephy-view-source-handler.c b/embed/ephy-view-source-handler.c index 115f4b718..10e4ddc44 100644 --- a/embed/ephy-view-source-handler.c +++ b/embed/ephy-view-source-handler.c @@ -23,6 +23,7 @@ #include "ephy-embed-container.h" #include "ephy-embed-shell.h" +#include "ephy-output-encoding.h" #include "ephy-web-view.h" #include <gio/gio.h> @@ -109,7 +110,9 @@ web_resource_data_cb (WebKitWebResource *resource, EphyViewSourceRequest *request) { g_autofree guchar *data = NULL; - g_autofree char *escaped_str = NULL; + g_autofree char *data_str = NULL; + g_autofree char *encoded_str = NULL; + g_autofree char *encoded_uri = NULL; g_autoptr (GError) error = NULL; g_autofree char *html = NULL; gsize length; @@ -120,8 +123,13 @@ web_resource_data_cb (WebKitWebResource *resource, return; } - /* Warning: data is not a string, so we pass length here because it's not NUL-terminated. */ - escaped_str = g_markup_escape_text ((const char *)data, length); + /* Convert data to a string */ + data_str = g_malloc (length + 1); + memcpy (data_str, data, length); + data_str[length] = '\0'; + + encoded_str = ephy_encode_for_html_entity (data_str); + encoded_uri = ephy_encode_for_html_entity (webkit_web_resource_get_uri (resource)); html = g_strdup_printf ("<head>" " <link rel='stylesheet' href='ephy-resource:///org/gnome/epiphany/highlightjs/nnfx-light.css' media='(prefers-color-scheme: no-preference), (prefers-color-scheme: light)'>" @@ -136,8 +144,8 @@ web_resource_data_cb (WebKitWebResource *resource, " hljs.initLineNumbersOnLoad();</script>" " <pre><code class='html'>%s</code></pre>" "</body>", - webkit_web_resource_get_uri (resource), - escaped_str); + encoded_uri, + encoded_str); finish_uri_scheme_request (request, g_steal_pointer (&html), NULL); } |