media: escape html in fallback avatars

cmd/gomuks/media.go

@@ -38,6 +38,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/hlog"
 	_ "golang.org/x/image/webp"
+	"golang.org/x/net/html"
 
 	"go.mau.fi/util/exhttp"
 	"go.mau.fi/util/ffmpeg"
@@ -147,7 +148,7 @@ func isAllowedAvatarMime(mime string) bool {
 
 func (w *avatarResponseWriter) WriteHeader(statusCode int) {
 	if statusCode != http.StatusOK && statusCode != http.StatusNotModified {
-		data := []byte(fmt.Sprintf(fallbackAvatarTemplate, w.bgColor, w.character))
+		data := []byte(fmt.Sprintf(fallbackAvatarTemplate, w.bgColor, html.EscapeString(w.character)))
 		w.Header().Set("Content-Type", "image/svg+xml")
 		w.Header().Set("Content-Length", strconv.Itoa(len(data)))
 		w.Header().Del("Content-Disposition")

web/src/api/media.ts

@@ -40,9 +40,17 @@ function makeFallbackAvatar(backgroundColor: string, fallbackCharacter: string):
   <circle cx="500" cy="500" r="500" fill="${backgroundColor}"/>
   <text x="500" y="750" text-anchor="middle" fill="#fff" font-weight="bold" font-size="666"
     font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif"
-  >${fallbackCharacter}</text>
+  >${escapeHTMLChar(fallbackCharacter)}</text>
 </svg>`)
+}
 
+function escapeHTMLChar(char: string): string {
+	switch (char) {
+	case "&": return "&amp;"
+	case "<": return "&lt;"
+	case ">": return "&gt;"
+	default: return char
+	}
 }
 
 export const getAvatarURL = (userID: UserID, content?: Partial<MemberEventContent>): string | undefined => {