diff options
author | Eric Wong <e@yhbt.net> | 2020-02-15 09:46:39 +0000 |
---|---|---|
committer | Eric Wong <e@yhbt.net> | 2020-02-16 00:06:48 +0000 |
commit | 1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch) | |
tree | 4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /lib/PublicInbox/Reply.pm | |
parent | 4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff) | |
download | public-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz |
We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers.
Diffstat (limited to 'lib/PublicInbox/Reply.pm')
-rw-r--r-- | lib/PublicInbox/Reply.pm | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/PublicInbox/Reply.pm b/lib/PublicInbox/Reply.pm index edeb1ac2..5058ff8c 100644 --- a/lib/PublicInbox/Reply.pm +++ b/lib/PublicInbox/Reply.pm @@ -6,9 +6,9 @@ package PublicInbox::Reply; use strict; use warnings; use URI::Escape qw/uri_escape_utf8/; -use PublicInbox::Hval qw/ascii_html obfuscate_addrs/; +use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href); use PublicInbox::Address; -use PublicInbox::MID qw/mid_clean mid_escape/; +use PublicInbox::MID qw(mid_clean); sub squote_maybe ($) { my ($val) = @_; @@ -76,7 +76,7 @@ sub mailto_arg_link { $subj = "Re: $subj" unless $subj =~ /\bRe:/i; my $mid = $hdr->header_raw('Message-ID'); push @arg, '--in-reply-to='.squote_maybe(mid_clean($mid)); - my $irt = mid_escape($mid); + my $irt = mid_href($mid); delete $cc->{$to}; if ($obfs) { my $arg_to = $to; |