From 192ce4dacc108f1b62e8ef752eeb5a2bee3d337f Mon Sep 17 00:00:00 2001
From: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk>
Date: Tue, 18 Oct 2011 18:32:52 +0200
Subject: [PATCH] theme_adium_append_message: escape alias before displaying
 it

Not doing so can lead to nasty HTML injection from hostile users.

https://bugzilla.gnome.org/show_bug.cgi?id=662035

[Alexandre Rostovtsev <tetromino@gentoo.org>: backport to 2.32, and for
 good measure, escape alias on /me-type events too]
---
 libempathy-gtk/empathy-theme-adium.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index 8c6301e..08f79b4 100644
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -436,7 +436,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	EmpathyThemeAdiumPriv *priv = GET_PRIV (theme);
 	EmpathyContact        *sender;
 	TpAccount             *account;
-	gchar                 *body_escaped;
+	gchar                 *body_escaped, *name_escaped;
 	const gchar           *body;
 	const gchar           *name;
 	const gchar           *contact_id;
@@ -468,17 +468,19 @@ theme_adium_append_message (EmpathyChatView *view,
 	body = empathy_message_get_body (msg);
 	body_escaped = theme_adium_parse_body (body);
 	name = empathy_contact_get_alias (sender);
+	name_escaped = g_markup_escape_text (name, -1);
 	contact_id = empathy_contact_get_id (sender);
 
 	/* If this is a /me, append an event */
 	if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) {
 		gchar *str;
 
-		str = g_strdup_printf ("%s %s", name, body_escaped);
+		str = g_strdup_printf ("%s %s", name_escaped, body_escaped);
 		theme_adium_append_event_escaped (view, str);
 
 		g_free (str);
 		g_free (body_escaped);
+		g_free (name_escaped);
 		return;
 	}
 
@@ -600,7 +602,7 @@ theme_adium_append_message (EmpathyChatView *view,
 
 	if (html != NULL) {
 		theme_adium_append_html (theme, func, html, len, body_escaped,
-					 avatar_filename, name, contact_id,
+					 avatar_filename, name_escaped, contact_id,
 					 service_name, message_classes->str,
 					 timestamp, is_backlog);
 	} else {
@@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	priv->last_is_backlog = is_backlog;
 
 	g_free (body_escaped);
+	g_free (name_escaped);
 	g_string_free (message_classes, TRUE);
 }
 
-- 
1.7.7