about summary refs log tree commit homepage
path: root/t
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2017-03-14 21:23:39 +0000
committerEric Wong <e@80x24.org>2017-03-14 21:23:39 +0000
commit92f27ed0be327ab6acb61aeedf7a77702cc6c25f (patch)
tree66d945ce8c6415574cd5c33ee82bf8723057fb65 /t
parent364de65f8a6b5729027cb70228312a141430122f (diff)
downloadpublic-inbox-92f27ed0be327ab6acb61aeedf7a77702cc6c25f.tar.gz
Otherwise funky filenames can cause HTML injection
vulnerabilities (hope you have JavaScript disabled!)
Diffstat (limited to 't')
-rw-r--r--t/view.t4
1 files changed, 2 insertions, 2 deletions
diff --git a/t/view.t b/t/view.t
index 46fbe410..2181b5ef 100644
--- a/t/view.t
+++ b/t/view.t
@@ -124,7 +124,7 @@ EOF
                 Email::MIME->create(
                         attributes => {
                                 content_type => 'text/plain',
-                                filename => "foo.patch",
+                                filename => "foo&.patch",
                         },
                         body => "--- a/file\n+++ b/file\n" .
                                 "@@ -49, 7 +49,34 @@\n",
@@ -140,7 +140,7 @@ EOF
         );
 
         my $html = msg_html($mime);
-        like($html, qr!.*Attachment #2: foo\.patch --!,
+        like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!,
                 "parts split with filename");
 }