diff options
| author | Eric Wong <e@80x24.org> | 2016-06-10 07:23:24 +0000 |
|---|---|---|
| committer | Eric Wong <e@80x24.org> | 2016-06-10 07:24:11 +0000 |
| commit | f4ef1160ffd83d7cc1744c06392888f6af50faa7 (patch) | |
| tree | b3e693e8b28e3062304bf93677e20009f468271b /lib/PublicInbox/Unsubscribe.pm | |
| parent | 34329921385d2489c2ea94eab73a6ad567863565 (diff) | |
| download | public-inbox-f4ef1160ffd83d7cc1744c06392888f6af50faa7.tar.gz | |
Otherwise, URLs can be crafted to inject HTML.
Diffstat (limited to 'lib/PublicInbox/Unsubscribe.pm')
| -rw-r--r-- | lib/PublicInbox/Unsubscribe.pm | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm index 95348ea3..239feea9 100644 --- a/lib/PublicInbox/Unsubscribe.pm +++ b/lib/PublicInbox/Unsubscribe.pm @@ -82,6 +82,7 @@ sub _user_list_addr { my $errors = $env->{'psgi.errors'}; $errors->print("error decrypting: $u\n"); $errors->print("$_\n") for split("\n", $err); + $u = Plack::Util::encode_html($u); return r($self, 400, 'Bad request', "Failed to decrypt: $u"); } |