www: escape HTML in footer description

This isn't a security vulnerability since $GIT_DIR/description
is controlled by the admin; but it causes the footer to
misrender.

1 files changed, 2 insertions, 0 deletions

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index c25deff3..78b8826e 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -15,6 +15,7 @@ use strict;
 use warnings;
 use Plack::Request;
 use PublicInbox::Config;
+use PublicInbox::Hval;
 use URI::Escape qw(uri_escape_utf8 uri_unescape);
 use constant SSOMA_URL => '//ssoma.public-inbox.org/';
 use constant PI_URL => '//public-inbox.org/';
@@ -255,6 +256,7 @@ sub footer {
 
         # auto-generate a footer
         chomp(my $desc = $obj->description);
+        $desc = PublicInbox::Hval::ascii_html($desc);
 
         my $urls;
         my @urls = @{$obj->cloneurl};