theme_adium_append_message: escape alias before displaying it

Not doing so can lead to nasty HTML injection from hostile users.

https://bugzilla.gnome.org/show_bug.cgi?id=662035

1 files changed, 5 insertions, 2 deletions

diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
index 8ca83a9db..8dfc07be2 100644
--- a/libempathy-gtk/empathy-theme-adium.c
+++ b/libempathy-gtk/empathy-theme-adium.c
@@ -782,7 +782,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	EmpathyContact        *sender;
 	TpMessage             *tp_msg;
 	TpAccount             *account;
-	gchar                 *body_escaped;
+	gchar                 *body_escaped, *name_escaped;
 	const gchar           *name;
 	const gchar           *contact_id;
 	EmpathyAvatar         *avatar;
@@ -949,8 +949,10 @@ theme_adium_append_message (EmpathyChatView *view,
 		}
 	}
 
+	name_escaped = g_markup_escape_text (name, -1);
+
 	theme_adium_append_html (theme, func, html, body_escaped,
-				 avatar_filename, name, contact_id,
+				 avatar_filename, name_escaped, contact_id,
 				 service_name, message_classes->str,
 				 timestamp, is_backlog, empathy_contact_is_user (sender));
 
@@ -963,6 +965,7 @@ theme_adium_append_message (EmpathyChatView *view,
 	priv->last_is_backlog = is_backlog;
 
 	g_free (body_escaped);
+	g_free (name_escaped);
 	g_string_free (message_classes, TRUE);
 }