]> Sergey Matveev's repositories - public-inbox.git/commitdiff
projects / public-inbox.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0195eb1)
extmsg: escape ampersands in @EXT_URL array
authorEric Wong <e@80x24.org>
Sat, 27 Apr 2019 21:46:54 +0000 (21:46 +0000)
committerEric Wong <e@80x24.org>
Sat, 27 Apr 2019 21:46:54 +0000 (21:46 +0000)
We already escape the user-provided Message-IDs (so there's no
security problem AFAIK), but the URL templates which exist in
our source code were not escaped properly.

This quiets down tidy(1).

lib/PublicInbox/ExtMsg.pm patch | blob | history

diff --git a/lib/PublicInbox/ExtMsg.pm b/lib/PublicInbox/ExtMsg.pm
index 14d49cc59e186c8102fe60eda13513c767a2fa94..d07d5a79edb720869d53d7d8f8bf5fb7130f7643 100644 (file)
--- a/lib/PublicInbox/ExtMsg.pm
+++ b/lib/PublicInbox/ExtMsg.pm
@@ -8,13 +8,13 @@
 package PublicInbox::ExtMsg;
 use strict;
 use warnings;
-use PublicInbox::Hval;
+use PublicInbox::Hval qw/ascii_html/;
 use PublicInbox::MID qw/mid2path/;
 use PublicInbox::WwwStream;
 our $MIN_PARTIAL_LEN = 16;
 
 # TODO: user-configurable
-our @EXT_URL = (
+our @EXT_URL = map { ascii_html($_) } (
        # leading "//" denotes protocol-relative (http:// or https://)
        '//marc.info/?i=%s',
        '//www.mail-archive.com/search?l=mid&q=%s',
My patches to https://public-inbox.org/public-inbox.git