* [PATCH] unsubscribe: HTML encode undecryptable username
@ 2016-06-10 7:26 Eric Wong
0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-06-10 7:26 UTC (permalink / raw)
To: meta
Otherwise, URLs can be crafted to inject HTML.
---
lib/PublicInbox/Unsubscribe.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm
index 95348ea..239feea 100644
--- a/lib/PublicInbox/Unsubscribe.pm
+++ b/lib/PublicInbox/Unsubscribe.pm
@@ -82,6 +82,7 @@ sub _user_list_addr {
my $errors = $env->{'psgi.errors'};
$errors->print("error decrypting: $u\n");
$errors->print("$_\n") for split("\n", $err);
+ $u = Plack::Util::encode_html($u);
return r($self, 400, 'Bad request', "Failed to decrypt: $u");
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-10 7:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-10 7:26 [PATCH] unsubscribe: HTML encode undecryptable username Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).