From 095535b82a78e7400c0fd77db6525d4c0652d332 Mon Sep 17 00:00:00 2001 From: Acts1631 Date: Tue, 7 Jul 2026 22:07:00 -0400 Subject: [PATCH] security: percent-encode clipboard selection in biblemap URL The "Open in Bible Map" context menu action builds a URL by concatenating the clipboard selection directly into a URL fragment: g_strconcat("http://www.biblemap.org/#", dict_key, NULL) without any percent-encoding. Characters like spaces, #, &, ?, or newlines in the selection alter the resulting URL structure passed to the system browser via xiphos_open_default() (gtk_show_uri_on_window on Linux, ShellExecuteW on Windows). A selection containing a second # hijacks the fragment; spaces can break the URL; crafted content can confuse naive URL parsers. Percent-encode the selection with g_uri_escape_string() before inserting it into the URL so that URL-significant characters are escaped and the browser receives the intended fragment. --- src/gtk/menu_popup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/gtk/menu_popup.c b/src/gtk/menu_popup.c index a6c5af930..1053b946b 100644 --- a/src/gtk/menu_popup.c +++ b/src/gtk/menu_popup.c @@ -1308,9 +1308,11 @@ G_MODULE_EXPORT void on_lookup_google_activate(GtkMenuItem *menuitem, if ((dict_key == NULL) || (*dict_key == '\0')) { gui_generic_warning("No selection made"); } else { + gchar *enc_key = g_uri_escape_string(dict_key, NULL, FALSE); gchar *showstr = - g_strconcat("http://www.biblemap.org/#", dict_key, NULL); + g_strconcat("http://www.biblemap.org/#", enc_key, NULL); xiphos_open_default(showstr); + g_free(enc_key); g_free(showstr); } g_free(dict_key);