theme_adium_append_message: escape alias before displaying it

Not doing so can lead to nasty HTML injection from hostile users.

https://bugzilla.gnome.org/show_bug.cgi?id=662035

diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index 42c0914c83c94f66582b1ea1558e2e84a156caf6..66b03205d0955bcc684eec7ed6de9735edc92e98 100644 (file)
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -782,7 +782,7 @@ theme_adium_append_message (EmpathyChatView *view,
        EmpathyContact        *sender;
        TpMessage             *tp_msg;
        TpAccount             *account;
-       gchar                 *body_escaped;
+       gchar                 *body_escaped, *name_escaped;
        const gchar           *name;
        const gchar           *contact_id;
        EmpathyAvatar         *avatar;
@@ -947,8 +947,10 @@ theme_adium_append_message (EmpathyChatView *view,
                }
        }
 
+       name_escaped = g_markup_escape_text (name, -1);
+
        theme_adium_append_html (theme, func, html, body_escaped,
-                                avatar_filename, name, contact_id,
+                                avatar_filename, name_escaped, contact_id,
                                 service_name, message_classes->str,
                                 timestamp, is_backlog, empathy_contact_is_user (sender));
 
@@ -961,6 +963,7 @@ theme_adium_append_message (EmpathyChatView *view,
        priv->last_is_backlog = is_backlog;
 
        g_free (body_escaped);
+       g_free (name_escaped);
        g_string_free (message_classes, TRUE);
 }