From 419d9545814cb07c252422b20a77063f0f6101d1 Mon Sep 17 00:00:00 2001
From: Eduard Braun <eduard.braun2@gmx.de>
Date: Tue, 14 Feb 2017 00:01:59 +0100
Subject: Extensions: Fix potential security issue with "description"
 parameters. When using 'appearance="header"' arbitrary markup could be
 inlcuded (including URLs)

(bzr r15518)
---
 src/extension/param/description.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/extension/param/description.cpp')

diff --git a/src/extension/param/description.cpp b/src/extension/param/description.cpp
index 5923adea8..3d970b204 100644
--- a/src/extension/param/description.cpp
+++ b/src/extension/param/description.cpp
@@ -16,6 +16,7 @@
 #include <gtkmm/box.h>
 #include <gtkmm/label.h>
 #include <glibmm/i18n.h>
+#include <glibmm/markup.h>
 
 #include "xml/node.h"
 #include "extension/extension.h"
@@ -74,18 +75,17 @@ ParamDescription::get_widget (SPDocument * /*doc*/, Inkscape::XML::Node * /*node
         newguitext = _(_value);
     }
 
-    Gtk::Label * label;
+    Gtk::Label * label = Gtk::manage(new Gtk::Label());
     if (_mode == HEADER) {
-        label = Gtk::manage(new Gtk::Label(Glib::ustring("<b>") +newguitext + Glib::ustring("</b>"), Gtk::ALIGN_START));
+        label->set_markup(Glib::ustring("<b>") + Glib::Markup::escape_text(newguitext) + Glib::ustring("</b>"));
         label->set_margin_top(5);
         label->set_margin_bottom(5);
-        label->set_use_markup(true);
     } else {
-        label = Gtk::manage(new Gtk::Label(newguitext, Gtk::ALIGN_START));
+        label->set_text(newguitext);
     }
     label->set_line_wrap();
     //label->set_xalign(0); // requires gtkmm 3.16
-    label->set_alignment(0);
+    label->set_alignment(Gtk::ALIGN_START);
 
     // TODO: Ugly "fix" for gtk3 width/height calculation of labels.
     //   - If not applying any limits long labels will make the window grow horizontally until it uses up
-- 
cgit v1.2.3