From 9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Tue, 7 Jul 2015 11:15:40 -0700
Subject: Fixed email javascript obfuscation with mailto: URLs.

This fixes a potential security issue.  Because single quotes weren't
being escaped in the link portion, a specially crafted email address
could allow javascript code injection.

    [Jim'+alert('hi')+'OBrien](mailto:me@example.com)

Closes #2280.
---
 tests/writer.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/writer.html b/tests/writer.html
index 1357fa7c4..4a60a7b97 100644
--- a/tests/writer.html
+++ b/tests/writer.html
@@ -481,7 +481,7 @@ Blah
 <p><script type="text/javascript">
 <!--
 h='&#110;&#x6f;&#x77;&#104;&#x65;&#114;&#x65;&#46;&#110;&#x65;&#116;';a='&#64;';n='&#110;&#x6f;&#98;&#x6f;&#100;&#x79;';e=n+a+h;
-document.write('<a h'+'ref'+'="ma'+'ilto'+':'+e+'" clas'+'s="em' + 'ail">'+'Email link'+'<\/'+'a'+'>');
+document.write('<a h'+'ref'+'="ma'+'ilto'+':'+e+'" clas'+'s="em' + 'ail">'+'&#x45;&#x6d;&#x61;&#x69;&#108;&#32;&#108;&#x69;&#110;&#x6b;'+'<\/'+'a'+'>');
 // -->
 </script><noscript>&#x45;&#x6d;&#x61;&#x69;&#108;&#32;&#108;&#x69;&#110;&#x6b;&#32;&#40;&#110;&#x6f;&#98;&#x6f;&#100;&#x79;&#32;&#x61;&#116;&#32;&#110;&#x6f;&#x77;&#104;&#x65;&#114;&#x65;&#32;&#100;&#x6f;&#116;&#32;&#110;&#x65;&#116;&#x29;</noscript></p>
 <p><a href="">Empty</a>.</p>
-- 
cgit v1.2.3