From 47295e66eae70bb9efdf90297ef524453c13cd76 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Paul=20H=C3=A4nsch?= <paul@plutz.net>
Date: Wed, 23 Feb 2022 16:11:22 +0100
Subject: [PATCH] bugfix: prevent HTML injection in reference style link titles

---
 markdown.awk | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/markdown.awk b/markdown.awk
index 65e0aef..27d4015 100755
--- a/markdown.awk
+++ b/markdown.awk
@@ -145,11 +145,11 @@ function inline( line, LOCAL, len, code, href, guard ) {
       id = gensub(/^\[([^\n]+)\] ?\[([^\n]*)\].*/, "\\2", 1, line);
     if ( ! id ) id = text;
     if ( rl_href[id] && rl_title[id] ) {
-      return "<a href=\"" rl_href[id] "\" title=\"" rl_title[id] "\">" inline(text) "</a>" inline( substr( line, len + 1) );
+      return "<a href=\"" HTML(rl_href[id]) "\" title=\"" HTML(rl_title[id]) "\">" inline(text) "</a>" inline( substr( line, len + 1) );
     } else if ( rl_href[id] ) {
-      return "<a href=\"" rl_href[id] "\">" inline(text) "</a>" inline( substr( line, len + 1) );
+      return "<a href=\"" HTML(rl_href[id]) "\">" inline(text) "</a>" inline( substr( line, len + 1) );
     } else {
-      return "" substr(line, 1, len) inline( substr(line, len + 1) );
+      return "" HTML(substr(line, 1, len)) inline( substr(line, len + 1) );
     }
 
   # inline images
@@ -171,11 +171,11 @@ function inline( line, LOCAL, len, code, href, guard ) {
       id = gensub(/^!\[([^\n]+)\] ?\[([^\n]*)\].*/, "\\2", 1, line);
     if ( ! id ) id = text;
     if ( rl_href[id] && rl_title[id] ) {
-      return "<img src=\"" rl_href[id] "\" alt=\"" HTML(text) "\" title=\"" rl_title[id] "\" />" inline( substr( line, len + 1) );
+      return "<img src=\"" HTML(rl_href[id]) "\" alt=\"" HTML(text) "\" title=\"" HTML(rl_title[id]) "\" />" inline( substr( line, len + 1) );
     } else if ( rl_href[id] ) {
-      return "<img src=\"" rl_href[id] "\" alt=\"" HTML(text) "\" />" inline( substr( line, len + 1) );
+      return "<img src=\"" HTML(rl_href[id]) "\" alt=\"" HTML(text) "\" />" inline( substr( line, len + 1) );
     } else {
-      return "" substr(line, 1, len) inline( substr(line, len + 1) );
+      return "" HTML(substr(line, 1, len)) inline( substr(line, len + 1) );
     }
 
   #  ~~strikeout~~ (pandoc)
@@ -195,7 +195,7 @@ function inline( line, LOCAL, len, code, href, guard ) {
 
   # ignore embedded underscores (pandoc, php md)
   } else if ( match(line, "^[[:alnum:]](__|_)") ) {
-    return substr( line, 1, RLENGTH) inline( substr(line, RLENGTH + 1) );
+    return HTML(substr( line, 1, RLENGTH)) inline( substr(line, RLENGTH + 1) );
 
   #  __strong__$
   } else if ( match(line, "^__(([^_[:space:]]|" ieu ")|([^_[:space:]]|" ieu ")(" nu "|" ieu ")*([^_[:space:]]|" ieu "))__$") ) {
-- 
2.39.2