diff options
author | Eric Wong <e@yhbt.net> | 2020-02-15 09:46:39 +0000 |
---|---|---|
committer | Eric Wong <e@yhbt.net> | 2020-02-16 00:06:48 +0000 |
commit | 1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch) | |
tree | 4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /lib/PublicInbox/ExtMsg.pm | |
parent | 4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff) | |
download | public-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz |
We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers.
Diffstat (limited to 'lib/PublicInbox/ExtMsg.pm')
-rw-r--r-- | lib/PublicInbox/ExtMsg.pm | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/lib/PublicInbox/ExtMsg.pm b/lib/PublicInbox/ExtMsg.pm index c48c2db4..44884ad2 100644 --- a/lib/PublicInbox/ExtMsg.pm +++ b/lib/PublicInbox/ExtMsg.pm @@ -8,7 +8,7 @@ package PublicInbox::ExtMsg; use strict; use warnings; -use PublicInbox::Hval qw(ascii_html prurl); +use PublicInbox::Hval qw(ascii_html prurl mid_href); use PublicInbox::WwwStream; our $MIN_PARTIAL_LEN = 16; @@ -129,9 +129,8 @@ sub ext_msg { } my $code = 404; - my $h = PublicInbox::Hval->new_msgid($mid); - my $href = $h->{href}; - my $html = $h->as_html; + my $href = mid_href($mid); + my $html = ascii_html($mid); my $title = "<$html> not found"; my $s = "<pre>Message-ID <$html>\nnot found\n"; if ($n_partial) { @@ -145,10 +144,9 @@ sub ext_msg { my $env = $ctx->{env} if $ibx->{name} eq $cur_name; my $u = $ibx->base_url($env) or next; foreach my $m (@$res) { - my $p = PublicInbox::Hval->new_msgid($m); - my $r = $p->{href}; - my $t = $p->as_html; - $s .= qq{<a\nhref="$u$r/">$u$t/</a>\n}; + my $href = mid_href($m); + my $html = ascii_html($m); + $s .= qq{<a\nhref="$u$href/">$u$html/</a>\n}; } } } @@ -183,9 +181,8 @@ sub ext_urls { sub exact { my ($ctx, $found, $mid) = @_; - my $h = PublicInbox::Hval->new_msgid($mid); - my $href = $h->{href}; - my $html = $h->as_html; + my $href = mid_href($mid); + my $html = ascii_html($mid); my $title = "<$html> found in "; my $end = @$found == 1 ? 'another inbox' : 'other inboxes'; $ctx->{-title_html} = $title . $end; |