From 9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Tue, 7 Jul 2015 11:15:40 -0700
Subject: Fixed email javascript obfuscation with mailto: URLs.

This fixes a potential security issue.  Because single quotes weren't
being escaped in the link portion, a specially crafted email address
could allow javascript code injection.

    [Jim'+alert('hi')+'OBrien](mailto:me@example.com)

Closes #2280.
---
 src/Text/Pandoc/Writers/HTML.hs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/Text/Pandoc')

diff --git a/src/Text/Pandoc/Writers/HTML.hs b/src/Text/Pandoc/Writers/HTML.hs
index 8de34ace8..a1594b2c4 100644
--- a/src/Text/Pandoc/Writers/HTML.hs
+++ b/src/Text/Pandoc/Writers/HTML.hs
@@ -375,8 +375,8 @@ obfuscateLink opts (renderHtml -> txt) s =
               (linkText, altText) =
                  if txt == drop 7 s' -- autolink
                     then ("e", name' ++ " at " ++ domain')
-                    else ("'" ++ txt ++ "'", txt ++ " (" ++ name' ++ " at " ++
-                          domain' ++ ")")
+                    else ("'" ++ obfuscateString txt ++ "'",
+                          txt ++ " (" ++ name' ++ " at " ++ domain' ++ ")")
           in  case meth of
                 ReferenceObfuscation ->
                      -- need to use preEscapedString or &'s are escaped to &amp; in URL
-- 
cgit v1.2.3