From 7124de946aa90e66a8f114013b54b99259e3f767 Mon Sep 17 00:00:00 2001
From: Devon Kirk <hyder365@users.noreply.github.com>
Date: Thu, 18 Jun 2026 15:56:52 -0400
Subject: [PATCH] fix: escape ampersand and apostrophe in annotation content to
 prevent stored XSS

The annotation rendering code only replaced <, >, \n, and " with HTML
entities. The ampersand was not escaped, enabling an entity encoding
bypass: an attacker could enter e.g. &#60; which libxml2 would store as
&amp;#60; and decode back to &#60; on retrieval, allowing arbitrary HTML
injection. Add & (must be first to prevent double-encoding) and
apostrophe for defense in depth.
---
 src/main/display.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/display.cc b/src/main/display.cc
index f5cd59ffd..a4fd05f72 100644
--- a/src/main/display.cc
+++ b/src/main/display.cc
@@ -139,18 +139,20 @@ using namespace std;
 // user annotation cache filling.
 //
 
-#define NUM_REPLACE 4
+#define NUM_REPLACE 6
 
 struct replace
 {
 	gchar c;
 	gchar *s;
 } replacement[NUM_REPLACE] = {
-      // < and > must be first.
+      // & must be first to avoid double-encoding
+      {'&', (gchar *)"&amp;"},
       {'<', (gchar *)"&lt;"},
       {'>', (gchar *)"&gt;"},
       {'\n', (gchar *)"<br />"},
       {'"', (gchar *)"&quot;"},
+      {'\'', (gchar *)"&apos;"},
 };
 
 // a macro to substitute the visually ugly presentation below.