Context: geany helpfully indicates when the opened file is updated (according to ctime) or deleted from the filesystem. This indicator seems to employ some part of gtk that renders HTML.
Steps to reproduce: 1. In a shell, `touch 'john;guitar&studio.mp3` 2. Open geany, for example from the shell `geany 'john;guitar&studio.mp3'` 3. Cause an indicator to pop up, for example `touch 'john;guitar&studio.mp3'` from the shell. 4. Look at geany again, and read the indicator content.
Expected indicator content: `The file 'john;guitar&studio.mp3' on the disk is more recent than the current buffer. Do you want to reload it?`
Actual indicator content: `The file 'john;guitar&studio.mp3' on the disk is more recent than the current buffer. Do you want to reload it?` Note that the HTML entity `&` is collapsed to a single `&`.
As far as I can see, this is not really exploitable, because that requires really weird filenames, the renderer absolutely requires valid XHTML, and the filename cannot contain a forward slash (`/`) to provide closing tags. Also, not all HTML entities are accepted. This is why I chose to make this report public. However, it is bad enough that it should be fixed.
There seem to be no related bugs in this bugtracker. #779 is the opposite of this bug.
Or is this a Scintilla bug again?
Closed #2033 via f3a85525aeff921097209d6ade6f9bb1cf2b7097.
Thanks for the report, it's now fixed.
github-comments@lists.geany.org