From 48dc8ff5e67714985897047c189bdf019b796a60 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 22 Apr 2014 09:24:45 +0000
Subject: fix quoted URL generation in feeds

While we're at it, make sure strange characters are escaped properly
in Message-IDs.  We'll need tests for all this behavior.
---
 Documentation/design_www.txt |  3 +++
 TODO                         |  1 +
 lib/PublicInbox/Feed.pm      | 15 ++++++++-------
 public-inbox.cgi             |  3 ++-
 4 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 TODO

diff --git a/Documentation/design_www.txt b/Documentation/design_www.txt
index 226a22c9..50c97317 100644
--- a/Documentation/design_www.txt
+++ b/Documentation/design_www.txt
@@ -13,6 +13,9 @@ URL naming
 /$LISTNAME/f/$MESSAGE_ID                        -> 301 to .html version
 /$LISTNAME/f/$MESSAGE_ID.txt                    -> 301 to m/$MESSAGE_ID.txt
 
+FIXME: we must refactor/cleanup/add tests for most of our CGI before
+adding more endpoints and features.
+
 Maybe TODO (these might be expensive)
 -------------------------------------
 /$LISTNAME/t/$MESSAGE_ID.html                   -> HTML content of thread
diff --git a/TODO b/TODO
new file mode 100644
index 00000000..76020a7f
--- /dev/null
+++ b/TODO
@@ -0,0 +1 @@
+* header -> HTML/XML sanitization
diff --git a/lib/PublicInbox/Feed.pm b/lib/PublicInbox/Feed.pm
index 3fc3775b..93ee80bb 100644
--- a/lib/PublicInbox/Feed.pm
+++ b/lib/PublicInbox/Feed.pm
@@ -262,11 +262,13 @@ sub add_to_feed {
 	my $midurl = $feed_opts->{midurl} || 'http://example.com/m/';
 	my $fullurl = $feed_opts->{fullurl} || 'http://example.com/f/';
 
-	my $content = PublicInbox::View->as_feed_entry($mime, $fullurl);
-	defined($content) or return 0;
-
 	my $mid = utf8_header($mime, "Message-ID") or return 0;
-	$mid =~ s/\A<//; $mid =~ s/>\z//;
+	# FIXME: refactor
+	my (undef, $href) = PublicInbox::View::trim_message_id($mid);
+
+	my $content = PublicInbox::View->as_feed_entry($mime,
+							"$fullurl$href.html");
+	defined($content) or return 0;
 
 	my $subject = utf8_header($mime, "Subject") || "";
 	length($subject) or return 0;
@@ -279,7 +281,6 @@ sub add_to_feed {
 	my $email = $from[0]->address;
 	defined $email or $email = "";
 
-	my $url = $midurl . uri_escape($mid);
 	my $date = utf8_header($mime, "Date");
 	$date or return 0;
 	$date = feed_date($date) or return 0;
@@ -288,7 +289,7 @@ sub add_to_feed {
 		title => $subject,
 		updated => $date,
 		content => { type => "html", content => $content },
-		link => $url,
+		link => $midurl . $href,
 		id => $add,
 	);
 	1;
@@ -303,7 +304,7 @@ sub dump_html_line {
 		my $mid = utf8_header($simple, "Message-ID");
 		$mid =~ s/\A<//;
 		$mid =~ s/>\z//;
-		my $url = $args->[1] . uri_escape($mid);
+		my $url = $args->[1] . xs_html(uri_escape($mid));
 		my $from = utf8_header($simple, "From");
 		my @from = Email::Address->parse($from);
 		$from = $from[0]->name;
diff --git a/public-inbox.cgi b/public-inbox.cgi
index 33313bf5..b9b484be 100755
--- a/public-inbox.cgi
+++ b/public-inbox.cgi
@@ -167,8 +167,9 @@ sub get_mid_html {
 	my $x = mid2blob($ctx);
 	return r404() unless $x;
 
-	my $pfx = "../f/" . uri_escape($ctx->{mid}) . ".html";
 	require PublicInbox::View;
+	my $mid_href = PublicInbox::View::ascii_html(uri_escape($ctx->{mid}));
+	my $pfx = "../f/$mid_href.html";
 	require Email::MIME;
 	[ "200 OK", {'Content-Type' => 'text/html'},
 		PublicInbox::View->as_html(Email::MIME->new($$x), $pfx)];
-- 
cgit v1.2.3-24-ge0c7