From f4ef1160ffd83d7cc1744c06392888f6af50faa7 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 10 Jun 2016 07:23:24 +0000
Subject: unsubscribe: HTML encode undecryptable username

Otherwise, URLs can be crafted to inject HTML.
---
 lib/PublicInbox/Unsubscribe.pm | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/PublicInbox/Unsubscribe.pm')

diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm
index 95348ea3..239feea9 100644
--- a/lib/PublicInbox/Unsubscribe.pm
+++ b/lib/PublicInbox/Unsubscribe.pm
@@ -82,6 +82,7 @@ sub _user_list_addr {
 		my $errors = $env->{'psgi.errors'};
 		$errors->print("error decrypting: $u\n");
 		$errors->print("$_\n") for split("\n", $err);
+		$u = Plack::Util::encode_html($u);
 		return r($self, 400, 'Bad request', "Failed to decrypt: $u");
 	}
 
-- 
cgit v1.2.3-24-ge0c7