about summary refs log tree commit homepage
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2016-06-07 07:14:01 +0000
committerEric Wong <e@80x24.org>2016-06-07 07:14:37 +0000
commit115f78accd1cd79ea716db1d4e29ddc0633a9d45 (patch)
treec3386a91a6996c6d2da9f92f2e1a86146ca7dfd8
parent1365e185d817cdc2de04968c37f597d92226a13b (diff)
downloadpublic-inbox-115f78accd1cd79ea716db1d4e29ddc0633a9d45.tar.gz
Oops :x   Add an additional test for live data for any
unprintable characters, too, since this could be a dangerous
source of HTML injection.
-rw-r--r--lib/PublicInbox/View.pm3
-rw-r--r--t/check-www-inbox.perl12
2 files changed, 14 insertions, 1 deletions
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 2b40bcdd..0ba78fe2 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -324,7 +324,8 @@ sub headers_to_html_header {
                 $v = PublicInbox::Hval->new($v);
 
                 if ($h eq 'From') {
-                        $title[1] = PublicInbox::Address::from_name($v->raw);
+                        my $n = PublicInbox::Address::from_name($v->raw);
+                        $title[1] = ascii_html($n);
                 } elsif ($h eq 'Subject') {
                         $title[0] = $v->as_html;
                         if ($srch) {
diff --git a/t/check-www-inbox.perl b/t/check-www-inbox.perl
index 7cfe1932..6be631e9 100644
--- a/t/check-www-inbox.perl
+++ b/t/check-www-inbox.perl
@@ -13,6 +13,7 @@ use LWP::ConnCache;
 use POSIX qw(:sys_wait_h);
 use Time::HiRes qw(gettimeofday tv_interval);
 use WWW::Mechanize;
+use Data::Dumper;
 my $nproc = 4;
 my $slow = 0.5;
 my %opts = (
@@ -145,5 +146,16 @@ sub worker_loop {
                         my $n = length($l);
                         die "$$ send truncated $s < $n\n" if $s != $n;
                 }
+
+                # make sure the HTML source doesn't screw up terminals
+                # when people curl the source (not remotely an expert
+                # on languages or encodings, here).
+                next if $r->header('Content-Type') !~ m!\btext/html\b!;
+                my $dc = $r->decoded_content;
+                if ($dc =~ /([\x00-\x08\x0d-\x1f\x7f-\x{99999999}]+)/s) {
+                        my $o = $1;
+                        my $c = Dumper($o);
+                        warn "bad: $u $c\n";
+                }
         }
 }