unsubscribe: HTML encode undecryptable username

Otherwise, URLs can be crafted to inject HTML.

diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm
index 95348ea318f1d184c5876e9fe94f0b8fabdb155f..239feea9d9311c9e496036e80354809b71aeb22c 100644 (file)
--- a/lib/PublicInbox/Unsubscribe.pm
+++ b/lib/PublicInbox/Unsubscribe.pm
@@ -82,6 +82,7 @@ sub _user_list_addr {
                my $errors = $env->{'psgi.errors'};
                $errors->print("error decrypting: $u\n");
                $errors->print("$_\n") for split("\n", $err);
+               $u = Plack::Util::encode_html($u);
                return r($self, 400, 'Bad request', "Failed to decrypt: $u");
        }