From: Eric Wong <e@80x24.org>
Date: Thu, 17 Apr 2014 22:05:04 +0000 (+0000)
Subject: view: fix title of HTML views
X-Git-Tag: v1.0.0~1239
X-Git-Url: http://www.git.stargrave.org/?p=public-inbox.git;a=commitdiff_plain;h=957d85db25b3dc99647ae15fd57d9e8dd9579883

view: fix title of HTML views

We need to take care to escape everything properly to avoid
HTML/JS injections.
---

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 17aca94e..f645b9ba 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -153,11 +153,20 @@ sub headers_to_html_header {
 		defined $v or next;
 		$v =~ tr/\n/ /s;
 		$v =~ tr/\r//d;
-		$v = ascii_html($enc_mime->decode($v));
+		my $raw = $enc_mime->decode($v);
+		$v = ascii_html($raw);
 		$rv .= "$h: $v\n";
 
-		if ($h eq "From" || $h eq "Subject") {
-			push @title, $v;
+		if ($h eq 'From') {
+			my @from = Email::Address->parse($raw);
+			$raw = $from[0]->name;
+			unless (defined($raw) && length($raw)) {
+				$raw = '<' . $from[0]->address . '>';
+			}
+			$title[1] = ascii_html($raw);
+
+		} elsif ($h eq 'Subject') {
+			$title[0] = $v;
 		}
 	}