about summary refs log tree commit homepage
path: root/lib
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2014-04-17 22:05:04 +0000
committerEric Wong <e@80x24.org>2014-04-17 22:05:04 +0000
commit957d85db25b3dc99647ae15fd57d9e8dd9579883 (patch)
tree7dade1f5fc386c93cc06380866a9df99bc984c5d /lib
parentae1c27f9ff9b38ba038b7cc6a19e1d9bc2cee714 (diff)
downloadpublic-inbox-957d85db25b3dc99647ae15fd57d9e8dd9579883.tar.gz
We need to take care to escape everything properly to avoid
HTML/JS injections.
Diffstat (limited to 'lib')
-rw-r--r--lib/PublicInbox/View.pm15
1 files changed, 12 insertions, 3 deletions
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 17aca94e..f645b9ba 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -153,11 +153,20 @@ sub headers_to_html_header {
                 defined $v or next;
                 $v =~ tr/\n/ /s;
                 $v =~ tr/\r//d;
-                $v = ascii_html($enc_mime->decode($v));
+                my $raw = $enc_mime->decode($v);
+                $v = ascii_html($raw);
                 $rv .= "$h: $v\n";
 
-                if ($h eq "From" || $h eq "Subject") {
-                        push @title, $v;
+                if ($h eq 'From') {
+                        my @from = Email::Address->parse($raw);
+                        $raw = $from[0]->name;
+                        unless (defined($raw) && length($raw)) {
+                                $raw = '<' . $from[0]->address . '>';
+                        }
+                        $title[1] = ascii_html($raw);
+
+                } elsif ($h eq 'Subject') {
+                        $title[0] = $v;
                 }
         }