summaryrefslogtreecommitdiff
path: root/src/Text/Pandoc
diff options
context:
space:
mode:
authorJohn MacFarlane <jgm@berkeley.edu>2015-07-07 11:15:40 -0700
committerJohn MacFarlane <jgm@berkeley.edu>2015-07-07 11:15:40 -0700
commit9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7 (patch)
tree2964da504b5f7cb899a1ae245e3a2e99915f84e4 /src/Text/Pandoc
parent7398dea65fd57281b73698fdbf5c709bf0e64ed7 (diff)
Fixed email javascript obfuscation with mailto: URLs.
This fixes a potential security issue. Because single quotes weren't being escaped in the link portion, a specially crafted email address could allow javascript code injection. [Jim'+alert('hi')+'OBrien](mailto:me@example.com) Closes #2280.
Diffstat (limited to 'src/Text/Pandoc')
-rw-r--r--src/Text/Pandoc/Writers/HTML.hs4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Text/Pandoc/Writers/HTML.hs b/src/Text/Pandoc/Writers/HTML.hs
index 8de34ace8..a1594b2c4 100644
--- a/src/Text/Pandoc/Writers/HTML.hs
+++ b/src/Text/Pandoc/Writers/HTML.hs
@@ -375,8 +375,8 @@ obfuscateLink opts (renderHtml -> txt) s =
(linkText, altText) =
if txt == drop 7 s' -- autolink
then ("e", name' ++ " at " ++ domain')
- else ("'" ++ txt ++ "'", txt ++ " (" ++ name' ++ " at " ++
- domain' ++ ")")
+ else ("'" ++ obfuscateString txt ++ "'",
+ txt ++ " (" ++ name' ++ " at " ++ domain' ++ ")")
in case meth of
ReferenceObfuscation ->
-- need to use preEscapedString or &'s are escaped to &amp; in URL