about summary refs log tree commit homepage
path: root/lib/PublicInbox/Linkify.pm
diff options
context:
space:
mode:
authorEric Wong <e@yhbt.net>2020-02-15 09:46:39 +0000
committerEric Wong <e@yhbt.net>2020-02-16 00:06:48 +0000
commit1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch)
tree4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /lib/PublicInbox/Linkify.pm
parent4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff)
downloadpublic-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz
We need to escape ampersands (and some other characters for href
attributes), so introduce a `mid_href' sub to do just that.

'<', '>' and '"'  were always escaped, so there's no risk of tag
or attribute injection, but creative Message-IDs could cause
confusion for some parsers and generate invalid URLs.

Start getting rid of the bloated, over-engineered OO Hval API
while we're at it, I only noticed this bug because I started
killing off Hval->new* callers.
Diffstat (limited to 'lib/PublicInbox/Linkify.pm')
-rw-r--r--lib/PublicInbox/Linkify.pm9
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/PublicInbox/Linkify.pm b/lib/PublicInbox/Linkify.pm
index d176a7cc..2bd8f64a 100644
--- a/lib/PublicInbox/Linkify.pm
+++ b/lib/PublicInbox/Linkify.pm
@@ -13,7 +13,7 @@ package PublicInbox::Linkify;
 use strict;
 use warnings;
 use Digest::SHA qw/sha1_hex/;
-use PublicInbox::Hval qw(ascii_html);
+use PublicInbox::Hval qw(ascii_html mid_href);
 
 my $SALT = rand;
 my $LINK_RE = qr{([\('!])?\b((?:ftps?|https?|nntps?|gopher)://
@@ -94,10 +94,9 @@ sub linkify_2 {
 sub linkify_mids {
         my ($self, $pfx, $str, $raw) = @_;
         $$str =~ s!<([^>]+)>!
-                my $msgid = PublicInbox::Hval->new_msgid($1);
-                my $html = $msgid->as_html;
-                my $href = $msgid->{href};
-                $href = ascii_html($href); # for IDN
+                my $mid = $1;
+                my $html = ascii_html($mid);
+                my $href = mid_href($mid);
 
                 # salt this, as this could be exploited to show
                 # links in the HTML which don't show up in the raw mail.