view: escape From name properly for title

Oops :x   Add an additional test for live data for any
unprintable characters, too, since this could be a dangerous
source of HTML injection.

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 2b40bcdd37f31c7e0a715d130a59cd3fd0b4b675..0ba78fe2d9e103bcbe201dbbb47d1cf32a56fa40 100644 (file)
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -324,7 +324,8 @@ sub headers_to_html_header {
                $v = PublicInbox::Hval->new($v);
 
                if ($h eq 'From') {
-                       $title[1] = PublicInbox::Address::from_name($v->raw);
+                       my $n = PublicInbox::Address::from_name($v->raw);
+                       $title[1] = ascii_html($n);
                } elsif ($h eq 'Subject') {
                        $title[0] = $v->as_html;
                        if ($srch) {

diff --git a/t/check-www-inbox.perl b/t/check-www-inbox.perl
index 7cfe19328b7266d93200c434cb410833e9c0c97d..6be631e9dc5c0e89ffff5a1530a72cbcddbdb40d 100644 (file)
--- a/t/check-www-inbox.perl
+++ b/t/check-www-inbox.perl
@@ -13,6 +13,7 @@ use LWP::ConnCache;
 use POSIX qw(:sys_wait_h);
 use Time::HiRes qw(gettimeofday tv_interval);
 use WWW::Mechanize;
+use Data::Dumper;
 my $nproc = 4;
 my $slow = 0.5;
 my %opts = (
@@ -145,5 +146,16 @@ sub worker_loop {
                        my $n = length($l);
                        die "$$ send truncated $s < $n\n" if $s != $n;
                }
+
+               # make sure the HTML source doesn't screw up terminals
+               # when people curl the source (not remotely an expert
+               # on languages or encodings, here).
+               next if $r->header('Content-Type') !~ m!\btext/html\b!;
+               my $dc = $r->decoded_content;
+               if ($dc =~ /([\x00-\x08\x0d-\x1f\x7f-\x{99999999}]+)/s) {
+                       my $o = $1;
+                       my $c = Dumper($o);
+                       warn "bad: $u $c\n";
+               }
        }
 }