<p>Context: geany helpfully indicates when the opened file is updated (according to ctime) or deleted from the filesystem.  This indicator seems to employ some part of gtk that renders HTML.</p>
<p>Steps to reproduce:</p>
<ol>
<li>In a shell, <code>touch 'john;guitar&amp;studio.mp3</code></li>
<li>Open geany, for example from the shell <code>geany 'john;guitar&amp;studio.mp3'</code></li>
<li>Cause an indicator to pop up, for example <code>touch 'john;guitar&amp;studio.mp3'</code> from the shell.</li>
<li>Look at geany again, and read the indicator content.</li>
</ol>
<p>Expected indicator content: <code>The file 'john;guitar&amp;studio.mp3' on the disk is more recent than the current buffer.  Do you want to reload it?</code></p>
<p>Actual indicator content: <code>The file 'john;guitar&studio.mp3' on the disk is more recent than the current buffer.  Do you want to reload it?</code>  Note that the HTML entity <code>&amp;</code> is collapsed to a single <code>&</code>.</p>
<p>As far as I can see, this is not really exploitable, because that requires really weird filenames, the renderer absolutely requires valid XHTML, and the filename cannot contain a forward slash (<code>/</code>) to provide closing tags.  Also, not all HTML entities are accepted.  This is why I chose to make this report public.<br>
However, it is bad enough that it should be fixed.</p>
<p>There seem to be no related bugs in this bugtracker.  <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="119165800" data-permission-text="Issue title is private" data-url="https://github.com/geany/geany/issues/779" data-hovercard-type="issue" data-hovercard-url="/geany/geany/issues/779/hovercard" href="https://github.com/geany/geany/issues/779">#779</a> is the opposite of this bug.</p>
<p>Or is this a Scintilla bug again?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/geany/geany/issues/2033">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABDrJ8WlgPIRNUio4YcvNS09MtQTlSlyks5u_QtxgaJpZM4ZnIJl">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABDrJ6QJNUtND11tWG9_3e9aFmlw4umOks5u_QtxgaJpZM4ZnIJl.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/geany/geany","title":"geany/geany","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/geany/geany"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Status messages use unescaped filename (#2033)"}],"action":{"name":"View Issue","url":"https://github.com/geany/geany/issues/2033"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/geany/geany/issues/2033",
"url": "https://github.com/geany/geany/issues/2033",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>