From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id 0B91F20179
	for <meta@public-inbox.org>; Fri, 17 Jun 2016 19:09:51 +0000 (UTC)
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH] www: escape HTML in footer description
Date: Fri, 17 Jun 2016 19:09:51 +0000
Message-Id: <20160617190951.13284-1-e@80x24.org>
List-Id: <meta@public-inbox.org>

This isn't a security vulnerability since $GIT_DIR/description
is controlled by the admin; but it causes the footer to
misrender.
---
 lib/PublicInbox/WWW.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index c25deff..78b8826 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -15,6 +15,7 @@ use strict;
 use warnings;
 use Plack::Request;
 use PublicInbox::Config;
+use PublicInbox::Hval;
 use URI::Escape qw(uri_escape_utf8 uri_unescape);
 use constant SSOMA_URL => '//ssoma.public-inbox.org/';
 use constant PI_URL => '//public-inbox.org/';
@@ -255,6 +256,7 @@ sub footer {
 
 	# auto-generate a footer
 	chomp(my $desc = $obj->description);
+	$desc = PublicInbox::Hval::ascii_html($desc);
 
 	my $urls;
 	my @urls = @{$obj->cloneurl};