From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00
	shortcircuit=no autolearn=unavailable autolearn_force=no version=3.4.0
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id 227B11FEAA
	for <meta@public-inbox.org>; Fri, 10 Jun 2016 07:26:15 +0000 (UTC)
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH] unsubscribe: HTML encode undecryptable username
Date: Fri, 10 Jun 2016 07:26:15 +0000
Message-Id: <20160610072615.2092-1-e@80x24.org>
List-Id: <meta@public-inbox.org>

Otherwise, URLs can be crafted to inject HTML.
---
 lib/PublicInbox/Unsubscribe.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm
index 95348ea..239feea 100644
--- a/lib/PublicInbox/Unsubscribe.pm
+++ b/lib/PublicInbox/Unsubscribe.pm
@@ -82,6 +82,7 @@ sub _user_list_addr {
 		my $errors = $env->{'psgi.errors'};
 		$errors->print("error decrypting: $u\n");
 		$errors->print("$_\n") for split("\n", $err);
+		$u = Plack::Util::encode_html($u);
 		return r($self, 400, 'Bad request', "Failed to decrypt: $u");
 	}