diff options
author | Eric Wong <e@yhbt.net> | 2020-02-15 09:46:39 +0000 |
---|---|---|
committer | Eric Wong <e@yhbt.net> | 2020-02-16 00:06:48 +0000 |
commit | 1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch) | |
tree | 4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /lib/PublicInbox/Linkify.pm | |
parent | 4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff) | |
download | public-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz |
We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers.
Diffstat (limited to 'lib/PublicInbox/Linkify.pm')
-rw-r--r-- | lib/PublicInbox/Linkify.pm | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/PublicInbox/Linkify.pm b/lib/PublicInbox/Linkify.pm index d176a7cc..2bd8f64a 100644 --- a/lib/PublicInbox/Linkify.pm +++ b/lib/PublicInbox/Linkify.pm @@ -13,7 +13,7 @@ package PublicInbox::Linkify; use strict; use warnings; use Digest::SHA qw/sha1_hex/; -use PublicInbox::Hval qw(ascii_html); +use PublicInbox::Hval qw(ascii_html mid_href); my $SALT = rand; my $LINK_RE = qr{([\('!])?\b((?:ftps?|https?|nntps?|gopher):// @@ -94,10 +94,9 @@ sub linkify_2 { sub linkify_mids { my ($self, $pfx, $str, $raw) = @_; $$str =~ s!<([^>]+)>! - my $msgid = PublicInbox::Hval->new_msgid($1); - my $html = $msgid->as_html; - my $href = $msgid->{href}; - $href = ascii_html($href); # for IDN + my $mid = $1; + my $html = ascii_html($mid); + my $href = mid_href($mid); # salt this, as this could be exploited to show # links in the HTML which don't show up in the raw mail. |