Skip to content

percent-encode clipboard selection in biblemap URL#1346

Open
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/map-lookup-url-injection
Open

percent-encode clipboard selection in biblemap URL#1346
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/map-lookup-url-injection

Conversation

@acts-1631

Copy link
Copy Markdown

The "Open in Bible Map" action in the context menu builds a URL by
concatenating the clipboard selection into a fragment:

http://www.biblemap.org/#

The selection is not percent-encoded, so characters like spaces, #, &,
or newlines alter the URL structure passed to the system browser. A
second # in the selection hijacks the fragment portion.

The selection is now escaped with g_uri_escape_string() before being
inserted into the URL.

The "Open in Bible Map" context menu action builds a URL by
concatenating the clipboard selection directly into a URL fragment:
  g_strconcat("http://www.biblemap.org/#", dict_key, NULL)
without any percent-encoding. Characters like spaces, #, &, ?, or
newlines in the selection alter the resulting URL structure passed to
the system browser via xiphos_open_default() (gtk_show_uri_on_window on
Linux, ShellExecuteW on Windows). A selection containing a second #
hijacks the fragment; spaces can break the URL; crafted content can
confuse naive URL parsers.

Percent-encode the selection with g_uri_escape_string() before
inserting it into the URL so that URL-significant characters are
escaped and the browser receives the intended fragment.
@acts-1631 acts-1631 force-pushed the fix/map-lookup-url-injection branch from 872e1ca to 095535b Compare July 8, 2026 02:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant