view: fix title of HTML views

We need to take care to escape everything properly to avoid
HTML/JS injections.

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 17aca94e63e1fbfb5aa4668f33be3b2d6e03960f..f645b9bab8684673a7f428edcdc5857bf099e02a 100644 (file)
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -153,11 +153,20 @@ sub headers_to_html_header {
                defined $v or next;
                $v =~ tr/\n/ /s;
                $v =~ tr/\r//d;
-               $v = ascii_html($enc_mime->decode($v));
+               my $raw = $enc_mime->decode($v);
+               $v = ascii_html($raw);
                $rv .= "$h: $v\n";
 
-               if ($h eq "From" || $h eq "Subject") {
-                       push @title, $v;
+               if ($h eq 'From') {
+                       my @from = Email::Address->parse($raw);
+                       $raw = $from[0]->name;
+                       unless (defined($raw) && length($raw)) {
+                               $raw = '<' . $from[0]->address . '>';
+                       }
+                       $title[1] = ascii_html($raw);
+
+               } elsif ($h eq 'Subject') {
+                       $title[0] = $v;
                }
        }