about summary refs log tree commit homepage
path: root/lib/PublicInbox/ExtMsg.pm
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2019-04-27 21:46:54 +0000
committerEric Wong <e@80x24.org>2019-04-27 21:46:54 +0000
commit0cd78b139de44c9018d623d2004d65184fff3275 (patch)
tree3b08fda95724fae8399e59c1351314e240707be0 /lib/PublicInbox/ExtMsg.pm
parent0195eb10a0cb74ebe098b4596e8e78d0544df6fb (diff)
downloadpublic-inbox-0cd78b139de44c9018d623d2004d65184fff3275.tar.gz
We already escape the user-provided Message-IDs (so there's no
security problem AFAIK), but the URL templates which exist in
our source code were not escaped properly.

This quiets down tidy(1).
Diffstat (limited to 'lib/PublicInbox/ExtMsg.pm')
-rw-r--r--lib/PublicInbox/ExtMsg.pm4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/PublicInbox/ExtMsg.pm b/lib/PublicInbox/ExtMsg.pm
index 14d49cc5..d07d5a79 100644
--- a/lib/PublicInbox/ExtMsg.pm
+++ b/lib/PublicInbox/ExtMsg.pm
@@ -8,13 +8,13 @@
 package PublicInbox::ExtMsg;
 use strict;
 use warnings;
-use PublicInbox::Hval;
+use PublicInbox::Hval qw/ascii_html/;
 use PublicInbox::MID qw/mid2path/;
 use PublicInbox::WwwStream;
 our $MIN_PARTIAL_LEN = 16;
 
 # TODO: user-configurable
-our @EXT_URL = (
+our @EXT_URL = map { ascii_html($_) } (
         # leading "//" denotes protocol-relative (http:// or https://)
         '//marc.info/?i=%s',
         '//www.mail-archive.com/search?l=mid&q=%s',