[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gopher2html, a possible way to browse the gopherspace via w3m

Good morning,


On Wed, 2018-01-24 at 10:14 +0100, Leonardo Taccari wrote:
> Hello Hiltjo,
> 
> Hiltjo Posthuma writes:
> > There is an issue in:
> >
> > 	type == TYPE["html"] {
> > 		url = substr(selector, 5)	# strip `URL:' prefix
> > 		printf("<a href='%s'>%s</a>\n", url, encode(user_name))
> > 	}
> >
> > 	the url should be escaped too, it can be a security issue.
> > 	same in "picture" and urlize().
> >
> > The encode() function should escape " (to &quot;) and ' (to &#39;).
> 
> I have modified encode() to escape `"' and `'', urlize() to always
> encode() the URL returned and all the printf()s in actions accordingly.

Does it also escape '&' to '&amp;'? Otherwise you're still open to
security problems. I also suggest to keep an eye for '<' and '>' ('&lt;'
and '&gt;').


With best regards,

-- 
Philipp.
 (Rah of PH2)
Reply to: