From: Paul Hänsch Date: Wed, 23 Feb 2022 15:11:22 +0000 (+0100) Subject: bugfix: prevent HTML injection in reference style link titles X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=47295e66eae70bb9efdf90297ef524453c13cd76;p=cgilite bugfix: prevent HTML injection in reference style link titles --- diff --git a/markdown.awk b/markdown.awk index 65e0aef..27d4015 100755 --- a/markdown.awk +++ b/markdown.awk @@ -145,11 +145,11 @@ function inline( line, LOCAL, len, code, href, guard ) { id = gensub(/^\[([^\n]+)\] ?\[([^\n]*)\].*/, "\\2", 1, line); if ( ! id ) id = text; if ( rl_href[id] && rl_title[id] ) { - return "" inline(text) "" inline( substr( line, len + 1) ); + return "" inline(text) "" inline( substr( line, len + 1) ); } else if ( rl_href[id] ) { - return "" inline(text) "" inline( substr( line, len + 1) ); + return "" inline(text) "" inline( substr( line, len + 1) ); } else { - return "" substr(line, 1, len) inline( substr(line, len + 1) ); + return "" HTML(substr(line, 1, len)) inline( substr(line, len + 1) ); } # inline images @@ -171,11 +171,11 @@ function inline( line, LOCAL, len, code, href, guard ) { id = gensub(/^!\[([^\n]+)\] ?\[([^\n]*)\].*/, "\\2", 1, line); if ( ! id ) id = text; if ( rl_href[id] && rl_title[id] ) { - return "\""" inline( substr( line, len + 1) ); + return "\""" inline( substr( line, len + 1) ); } else if ( rl_href[id] ) { - return "\""" inline( substr( line, len + 1) ); + return "\""" inline( substr( line, len + 1) ); } else { - return "" substr(line, 1, len) inline( substr(line, len + 1) ); + return "" HTML(substr(line, 1, len)) inline( substr(line, len + 1) ); } # ~~strikeout~~ (pandoc) @@ -195,7 +195,7 @@ function inline( line, LOCAL, len, code, href, guard ) { # ignore embedded underscores (pandoc, php md) } else if ( match(line, "^[[:alnum:]](__|_)") ) { - return substr( line, 1, RLENGTH) inline( substr(line, RLENGTH + 1) ); + return HTML(substr( line, 1, RLENGTH)) inline( substr(line, RLENGTH + 1) ); # __strong__$ } else if ( match(line, "^__(([^_[:space:]]|" ieu ")|([^_[:space:]]|" ieu ")(" nu "|" ieu ")*([^_[:space:]]|" ieu "))__$") ) {