diff options
author | Eric Wong <e@80x24.org> | 2016-06-07 07:14:01 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2016-06-07 07:14:37 +0000 |
commit | 115f78accd1cd79ea716db1d4e29ddc0633a9d45 (patch) | |
tree | c3386a91a6996c6d2da9f92f2e1a86146ca7dfd8 | |
parent | 1365e185d817cdc2de04968c37f597d92226a13b (diff) | |
download | public-inbox-115f78accd1cd79ea716db1d4e29ddc0633a9d45.tar.gz |
Oops :x Add an additional test for live data for any unprintable characters, too, since this could be a dangerous source of HTML injection.
-rw-r--r-- | lib/PublicInbox/View.pm | 3 | ||||
-rw-r--r-- | t/check-www-inbox.perl | 12 |
2 files changed, 14 insertions, 1 deletions
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm index 2b40bcdd..0ba78fe2 100644 --- a/lib/PublicInbox/View.pm +++ b/lib/PublicInbox/View.pm @@ -324,7 +324,8 @@ sub headers_to_html_header { $v = PublicInbox::Hval->new($v); if ($h eq 'From') { - $title[1] = PublicInbox::Address::from_name($v->raw); + my $n = PublicInbox::Address::from_name($v->raw); + $title[1] = ascii_html($n); } elsif ($h eq 'Subject') { $title[0] = $v->as_html; if ($srch) { diff --git a/t/check-www-inbox.perl b/t/check-www-inbox.perl index 7cfe1932..6be631e9 100644 --- a/t/check-www-inbox.perl +++ b/t/check-www-inbox.perl @@ -13,6 +13,7 @@ use LWP::ConnCache; use POSIX qw(:sys_wait_h); use Time::HiRes qw(gettimeofday tv_interval); use WWW::Mechanize; +use Data::Dumper; my $nproc = 4; my $slow = 0.5; my %opts = ( @@ -145,5 +146,16 @@ sub worker_loop { my $n = length($l); die "$$ send truncated $s < $n\n" if $s != $n; } + + # make sure the HTML source doesn't screw up terminals + # when people curl the source (not remotely an expert + # on languages or encodings, here). + next if $r->header('Content-Type') !~ m!\btext/html\b!; + my $dc = $r->decoded_content; + if ($dc =~ /([\x00-\x08\x0d-\x1f\x7f-\x{99999999}]+)/s) { + my $o = $1; + my $c = Dumper($o); + warn "bad: $u $c\n"; + } } } |