Up until now it was possible to inject some XML or just broke returned
vCard listing by preparing contact with some special characters.
---
plugins/pbap.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/plugins/pbap.c b/plugins/pbap.c
index 5455cce..82963af 100644
--- a/plugins/pbap.c
+++ b/plugins/pbap.c
@@ -469,9 +469,12 @@ static int generate_response(void *user_data)
pbap->obj->buffer = g_string_new(VCARD_LISTING_BEGIN);
for (; l && max; l = l->next, max--) {
const struct cache_entry *entry = l->data;
+ char *escaped_name = g_markup_escape_text(entry->name, -1);
g_string_append_printf(pbap->obj->buffer,
- VCARD_LISTING_ELEMENT, entry->handle, entry->name);
+ VCARD_LISTING_ELEMENT, entry->handle, escaped_name);
+
+ g_free(escaped_name);
}
pbap->obj->buffer = g_string_append(pbap->obj->buffer,
--
1.7.4.1
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
