about summary refs log tree commit homepage
path: root/lib/PublicInbox/SearchView.pm
diff options
authorEric Wong <e@yhbt.net>2020-02-15 09:46:39 +0000
committerEric Wong <e@yhbt.net>2020-02-16 00:06:48 +0000
commit1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch)
tree4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /lib/PublicInbox/SearchView.pm
parent4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff)
We need to escape ampersands (and some other characters for href
attributes), so introduce a `mid_href' sub to do just that.

'<', '>' and '"'  were always escaped, so there's no risk of tag
or attribute injection, but creative Message-IDs could cause
confusion for some parsers and generate invalid URLs.

Start getting rid of the bloated, over-engineered OO Hval API
while we're at it, I only noticed this bug because I started
killing off Hval->new* callers.
Diffstat (limited to 'lib/PublicInbox/SearchView.pm')
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm
index 7e508bb7..9b67b045 100644
--- a/lib/PublicInbox/SearchView.pm
+++ b/lib/PublicInbox/SearchView.pm
@@ -7,7 +7,7 @@ use strict;
 use warnings;
 use URI::Escape qw(uri_unescape uri_escape);
 use PublicInbox::SearchMsg;
-use PublicInbox::Hval qw/ascii_html obfuscate_addrs/;
+use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href);
 use PublicInbox::View;
 use PublicInbox::WwwAtomStream;
 use PublicInbox::SearchThread;
@@ -115,7 +115,7 @@ sub mset_summary {
                         obfuscate_addrs($obfs_ibx, $f);
                 my $date = PublicInbox::View::fmt_ts($smsg->{ds});
-                my $mid = PublicInbox::Hval->new_msgid($smsg->{mid})->{href};
+                my $mid = mid_href($smsg->{mid});
                 $s = '(no subject)' if $s eq '';
                 $$res .= qq{$rank. <b><a\nhref="$mid/">}.
                         $s . "</a></b>\n";