[PATCH] view: escape From name properly for title

[PATCH] view: escape From name properly for title

[Eric Wong]

Oops :x   Add an additional test for live data for any
unprintable characters, too, since this could be a dangerous
source of HTML injection.
---
 lib/PublicInbox/View.pm |  3 ++-
 t/check-www-inbox.perl  | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 46a581b..c03e1b5 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -322,7 +322,8 @@ sub headers_to_html_header {
 		$v = PublicInbox::Hval->new($v);
 
 		if ($h eq 'From') {
-			$title[1] = PublicInbox::Address::from_name($v->raw);
+			my $n = PublicInbox::Address::from_name($v->raw);
+			$title[1] = ascii_html($n);
 		} elsif ($h eq 'Subject') {
 			$title[0] = $v->as_html;
 			if ($srch) {
diff --git a/t/check-www-inbox.perl b/t/check-www-inbox.perl
index 7cfe193..6be631e 100644
--- a/t/check-www-inbox.perl
+++ b/t/check-www-inbox.perl
@@ -13,6 +13,7 @@ use LWP::ConnCache;
 use POSIX qw(:sys_wait_h);
 use Time::HiRes qw(gettimeofday tv_interval);
 use WWW::Mechanize;
+use Data::Dumper;
 my $nproc = 4;
 my $slow = 0.5;
 my %opts = (
@@ -145,5 +146,16 @@ sub worker_loop {
 			my $n = length($l);
 			die "$$ send truncated $s < $n\n" if $s != $n;
 		}
+
+		# make sure the HTML source doesn't screw up terminals
+		# when people curl the source (not remotely an expert
+		# on languages or encodings, here).
+		next if $r->header('Content-Type') !~ m!\btext/html\b!;
+		my $dc = $r->decoded_content;
+		if ($dc =~ /([\x00-\x08\x0d-\x1f\x7f-\x{99999999}]+)/s) {
+			my $o = $1;
+			my $c = Dumper($o);
+			warn "bad: $u $c\n";
+		}
 	}
 }