From 1fee6f86d7ee78161cc48a00232654f13a14bb88 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 15 Feb 2020 09:46:39 +0000 Subject: view: escape ampersand in Message-IDs We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers. --- lib/PublicInbox/SearchView.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/PublicInbox/SearchView.pm') diff --git a/lib/PublicInbox/SearchView.pm b/lib/PublicInbox/SearchView.pm index 7e508bb7..9b67b045 100644 --- a/lib/PublicInbox/SearchView.pm +++ b/lib/PublicInbox/SearchView.pm @@ -7,7 +7,7 @@ use strict; use warnings; use URI::Escape qw(uri_unescape uri_escape); use PublicInbox::SearchMsg; -use PublicInbox::Hval qw/ascii_html obfuscate_addrs/; +use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href); use PublicInbox::View; use PublicInbox::WwwAtomStream; use PublicInbox::SearchThread; @@ -115,7 +115,7 @@ sub mset_summary { obfuscate_addrs($obfs_ibx, $f); } my $date = PublicInbox::View::fmt_ts($smsg->{ds}); - my $mid = PublicInbox::Hval->new_msgid($smsg->{mid})->{href}; + my $mid = mid_href($smsg->{mid}); $s = '(no subject)' if $s eq ''; $$res .= qq{$rank. }. $s . "\n"; -- cgit v1.2.3-24-ge0c7