view: escape HTML description name

Otherwise funky filenames can cause HTML injection
vulnerabilities (hope you have JavaScript disabled!)

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 0b1ec75b31fd3f297bfcf85fdea29364ba5ede8a..9ef4712f313cc0bf59f21cbbf38fcbb8beeb0bac 100644 (file)
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -438,6 +438,7 @@ sub attach_link ($$$$;$) {
        }
        $ret .= "[-- Attachment #$idx: ";
        my $ts = "Type: $ct, Size: $size bytes";
+       $desc = ascii_html($desc);
        $ret .= ($desc eq '') ? "$ts --]" : "$desc --]\n[-- $ts --]";
        $ret .= "</a>\n";
 }

diff --git a/t/view.t b/t/view.t
index 46fbe410d6810019271a89aac8ba9d772ce8acb4..2181b5efb34184a1a97bcfae8fa08d9ca0dff431 100644 (file)
--- a/t/view.t
+++ b/t/view.t
@@ -124,7 +124,7 @@ EOF
                Email::MIME->create(
                        attributes => {
                                content_type => 'text/plain',
-                               filename => "foo.patch",
+                               filename => "foo&.patch",
                        },
                        body => "--- a/file\n+++ b/file\n" .
                                "@@ -49, 7 +49,34 @@\n",
@@ -140,7 +140,7 @@ EOF
        );
 
        my $html = msg_html($mime);
-       like($html, qr!.*Attachment #2: foo\.patch --!,
+       like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!,
                "parts split with filename");
 }