Skip to content

fix: escape ampersand and apostrophe in annotation content to prevent stored XSS#1330

Merged
karlkleinpaste merged 1 commit into
crosswire:masterfrom
hyder365:pr-0004-fix-annotation-xss
Jun 19, 2026
Merged

fix: escape ampersand and apostrophe in annotation content to prevent stored XSS#1330
karlkleinpaste merged 1 commit into
crosswire:masterfrom
hyder365:pr-0004-fix-annotation-xss

Conversation

@hyder365

@hyder365 hyder365 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

The annotation rendering code only replaced <, >, \n, and " with HTML
entities. The ampersand was not escaped, enabling an entity encoding
bypass: an attacker could enter e.g. < which libxml2 would store
as &#60; and decode back to < on retrieval, allowing arbitrary
HTML injection.

Add & (must be first to prevent double-encoding of < etc.) and
' to the replacement list. NUM_REPLACE goes from 4 to 6.

@hyder365
fix: escape ampersand and apostrophe in annotation content to prevent…
7124de9 
… stored XSS

The annotation rendering code only replaced <, >, \n, and " with HTML
entities. The ampersand was not escaped, enabling an entity encoding
bypass: an attacker could enter e.g. &crosswire#60; which libxml2 would store as
&amp;crosswire#60; and decode back to &crosswire#60; on retrieval, allowing arbitrary HTML
injection. Add & (must be first to prevent double-encoding) and
apostrophe for defense in depth.
@karlkleinpaste karlkleinpaste merged commit 0459c4f into crosswire:master Jun 19, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyder365 @karlkleinpaste