diff options
author | Eric Wong <e@80x24.org> | 2017-03-14 21:23:39 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2017-03-14 21:23:39 +0000 |
commit | 92f27ed0be327ab6acb61aeedf7a77702cc6c25f (patch) | |
tree | 66d945ce8c6415574cd5c33ee82bf8723057fb65 /lib | |
parent | 364de65f8a6b5729027cb70228312a141430122f (diff) | |
download | public-inbox-92f27ed0be327ab6acb61aeedf7a77702cc6c25f.tar.gz |
Otherwise funky filenames can cause HTML injection vulnerabilities (hope you have JavaScript disabled!)
Diffstat (limited to 'lib')
-rw-r--r-- | lib/PublicInbox/View.pm | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm index 0b1ec75b..9ef4712f 100644 --- a/lib/PublicInbox/View.pm +++ b/lib/PublicInbox/View.pm @@ -438,6 +438,7 @@ sub attach_link ($$$$;$) { } $ret .= "[-- Attachment #$idx: "; my $ts = "Type: $ct, Size: $size bytes"; + $desc = ascii_html($desc); $ret .= ($desc eq '') ? "$ts --]" : "$desc --]\n[-- $ts --]"; $ret .= "</a>\n"; } |