From d62cddc90cb4c00d4b5e4b5f388c7961488e75d6 Mon Sep 17 00:00:00 2001 From: Devon Kirk Date: Tue, 30 Jun 2026 19:45:32 -0400 Subject: [PATCH] fix: prevent breakout in HtmlOutput anchor JS literal g_strescape() escapes backslash, double-quote, and C0 control bytes but leaves '<', '>', and '/' untouched, so a sword:// fragment of "" passes through unchanged when interpolated into the inline ' and starts a new block, which executes arbitrary JavaScript in the file:// origin that wk_html_set_base_uri() hardcodes. The fragment can originate from any BibleSync UDP multicast peer on the LAN (biblesync_glue.cc:179 constructs the sword:// URL from peer-supplied bible and ref), from argv[1], or from a sword:// href click inside a malicious SWORD module. Substitute '', and '/' untouched, so a value of + // "" would end the + // inline ", - esc_anchor); - g_free(esc_anchor); + safe_anchor); + g_free(safe_anchor); XIPHOS_HTML_WRITE(html, buf, strlen(buf)); g_free(buf); }