On Tue, 10 Mar 2020 19:52:17 +0200 guysv <sviry...@gmail.com> wrote: Dear guysv,
> Because ",',<,>,& are all valid unix filename characters, > filenames containing those characters can glitch-out a dirlist > response. > > A funny example would be: > "><img src="blabla" onerror="alert(1)" > > This commit escapes dynamic input, and fixes the bug. sorry for the late response and thanks for submitting this patch! I've written a commit[0] reflecting your suggestion, but made some changes in that I structured the different escapes in a struct-array and used explicit offsets and memcpy() instead of strcat(). I didn't like that we assumed the length of the destination to be sufficient (which it was, but reusability is key), so I made it safe by checking the offsets properly. Now the dirlistings in quark are safe from XSS. Thanks again for your input and thank you Hiltjo for your feedback! With best regards Laslo [0]:https://git.suckless.org/quark/commit/48e74a598247f4b81e09a0f652faf15163f9f525.html
