Is pango markup injection a security vulnerability?

I have found a pango markup injection bug in a non-gnome gtk app. I’d like to know whether or not it can be a security vulnerability. I need this do decide whether to follow coordinated disclosure or just post it to the bugtracker.
What I mean by “pango markup injection bug” is that a string is concatenated to a pango markup string without being properly escaped first and then fed to gtk_label_set_markup or similar. After a quick look at the official documentation of the features of pango markup I came to a preliminary conclusion that the bug is probably not a security issue because if it were the docs would surely mention it and also the markup language looks simple and harmless but I’d like someone with more knowledge of the topic to confirm this because docs also don’t say it’s not a security issue.

File an issue, and check this box:


So that only you and the maintainers can see it. If it’s not a security issue, the maintainers will open it up.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.