diff options
author | Eric Wong <e@80x24.org> | 2017-03-14 21:23:39 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2017-03-14 21:23:39 +0000 |
commit | 92f27ed0be327ab6acb61aeedf7a77702cc6c25f (patch) | |
tree | 66d945ce8c6415574cd5c33ee82bf8723057fb65 /t | |
parent | 364de65f8a6b5729027cb70228312a141430122f (diff) | |
download | public-inbox-92f27ed0be327ab6acb61aeedf7a77702cc6c25f.tar.gz |
Otherwise funky filenames can cause HTML injection vulnerabilities (hope you have JavaScript disabled!)
Diffstat (limited to 't')
-rw-r--r-- | t/view.t | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -124,7 +124,7 @@ EOF Email::MIME->create( attributes => { content_type => 'text/plain', - filename => "foo.patch", + filename => "foo&.patch", }, body => "--- a/file\n+++ b/file\n" . "@@ -49, 7 +49,34 @@\n", @@ -140,7 +140,7 @@ EOF ); my $html = msg_html($mime); - like($html, qr!.*Attachment #2: foo\.patch --!, + like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!, "parts split with filename"); } |