Re: gopher2html, a possible way to browse the gopherspace via w3m
Good morning,
On Wed, 2018-01-24 at 10:14 +0100, Leonardo Taccari wrote:
> Hello Hiltjo,
>
> Hiltjo Posthuma writes:
> > There is an issue in:
> >
> > type == TYPE["html"] {
> > url = substr(selector, 5) # strip `URL:' prefix
> > printf("<a href='%s'>%s</a>\n", url, encode(user_name))
> > }
> >
> > the url should be escaped too, it can be a security issue.
> > same in "picture" and urlize().
> >
> > The encode() function should escape " (to ") and ' (to ').
>
> I have modified encode() to escape `"' and `'', urlize() to always
> encode() the URL returned and all the printf()s in actions accordingly.
Does it also escape '&' to '&'? Otherwise you're still open to
security problems. I also suggest to keep an eye for '<' and '>' ('<'
and '>').
With best regards,
--
Philipp.
(Rah of PH2)
Reply to: