diff options
author | John MacFarlane <jgm@berkeley.edu> | 2015-07-07 11:15:40 -0700 |
---|---|---|
committer | John MacFarlane <jgm@berkeley.edu> | 2015-07-07 11:15:40 -0700 |
commit | 9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7 (patch) | |
tree | 2964da504b5f7cb899a1ae245e3a2e99915f84e4 /src | |
parent | 7398dea65fd57281b73698fdbf5c709bf0e64ed7 (diff) | |
download | pandoc-9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7.tar.gz |
Fixed email javascript obfuscation with mailto: URLs.
This fixes a potential security issue. Because single quotes weren't
being escaped in the link portion, a specially crafted email address
could allow javascript code injection.
[Jim'+alert('hi')+'OBrien](mailto:me@example.com)
Closes #2280.
Diffstat (limited to 'src')
-rw-r--r-- | src/Text/Pandoc/Writers/HTML.hs | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Text/Pandoc/Writers/HTML.hs b/src/Text/Pandoc/Writers/HTML.hs index 8de34ace8..a1594b2c4 100644 --- a/src/Text/Pandoc/Writers/HTML.hs +++ b/src/Text/Pandoc/Writers/HTML.hs @@ -375,8 +375,8 @@ obfuscateLink opts (renderHtml -> txt) s = (linkText, altText) = if txt == drop 7 s' -- autolink then ("e", name' ++ " at " ++ domain') - else ("'" ++ txt ++ "'", txt ++ " (" ++ name' ++ " at " ++ - domain' ++ ")") + else ("'" ++ obfuscateString txt ++ "'", + txt ++ " (" ++ name' ++ " at " ++ domain' ++ ")") in case meth of ReferenceObfuscation -> -- need to use preEscapedString or &'s are escaped to & in URL |