Quick fix to "Script self-injection in edit box".

In the 'Edit...' box, the sourceContent (which was written by a user) has its < replaced with < . This issue does not propagate to the public timeline nor to the recipients of the post. Reference: https://codeberg.org/grunfink/snac2/issues/53
author: default 2023-06-16 09:25:32 +0200
committer: default 2023-06-16 09:25:32 +0200
commit: 5be22394675bff99cae673251696f8d0ce8ce0de (patch)
tree: 62231f459d9ff06393b3f29712bd55bb7f42f788
parent: Version 2.35 RELEASED. (diff)
download: snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.gz
snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.xz
snac2-5be22394675bff99cae673251696f8d0ce8ce0de.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/html.c b/html.c
index 892a08c..9f9737a 100644
--- a/html.c
+++ b/html.c
@@ -668,9 +668,11 @@ xs_str *html_entry_controls(snac *snac, xs_str *os, const xs_dict *msg, const ch
    s = xs_str_cat(s, "</form>\n");
-    char *prev_src = xs_dict_get(msg, "sourceContent");
+    const char *prev_src1 = xs_dict_get(msg, "sourceContent");
+    if (!xs_is_null(prev_src1) && strcmp(actor, snac->actor) == 0) {
+        xs *prev_src = xs_replace(prev_src1, "<", "&lt;");
-    if (!xs_is_null(prev_src) && strcmp(actor, snac->actor) == 0) {
        /* post can be edited */
        xs *s1 = xs_fmt(
            "<p><details><summary>%s</summary>\n"
author	default	2023-06-16 09:25:32 +0200
committer	default	2023-06-16 09:25:32 +0200
commit	5be22394675bff99cae673251696f8d0ce8ce0de (patch)
tree	62231f459d9ff06393b3f29712bd55bb7f42f788
parent	Version 2.35 RELEASED. (diff)
download	snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.gz snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.xz snac2-5be22394675bff99cae673251696f8d0ce8ce0de.zip