From ddc094b76ba60ff2f1f158317f0bf31bbd7a420d Mon Sep 17 00:00:00 2001
From: Jamie Mansfield <jmansfield@cadixdev.org>
Date: Fri, 24 Dec 2021 15:20:34 +0000
Subject: [PATCH] NOISUE Prevent potential HTML injection

---
 launcher/ui/pages/modplatform/technic/TechnicPage.cpp | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/launcher/ui/pages/modplatform/technic/TechnicPage.cpp b/launcher/ui/pages/modplatform/technic/TechnicPage.cpp
index 64054168..09535017 100644
--- a/launcher/ui/pages/modplatform/technic/TechnicPage.cpp
+++ b/launcher/ui/pages/modplatform/technic/TechnicPage.cpp
@@ -178,14 +178,12 @@ void TechnicPage::metadataLoaded()
     QString name = current.name;
 
     if (current.websiteUrl.isEmpty())
-        // This allows injecting HTML here.
-        text = name;
+        text = name.toHtmlEscaped();
     else
-        // URL not properly escaped for inclusion in HTML. The name allows for injecting HTML.
-        text = "<a href=\"" + current.websiteUrl + "\">" + name + "</a>";
+        text = "<a href=\"" + current.websiteUrl.toHtmlEscaped() + "\">" + name.toHtmlEscaped() + "</a>";
+
     if (!current.author.isEmpty()) {
-        // This allows injecting HTML here
-        text += tr(" by ") + current.author;
+        text += tr(" by ") + current.author.toHtmlEscaped();
     }
 
     text += "<br><br>";