From 115f78accd1cd79ea716db1d4e29ddc0633a9d45 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 7 Jun 2016 07:14:01 +0000
Subject: view: escape From name properly for title

Oops :x   Add an additional test for live data for any
unprintable characters, too, since this could be a dangerous
source of HTML injection.
---
 lib/PublicInbox/View.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/PublicInbox/View.pm')

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 2b40bcdd..0ba78fe2 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -324,7 +324,8 @@ sub headers_to_html_header {
 		$v = PublicInbox::Hval->new($v);
 
 		if ($h eq 'From') {
-			$title[1] = PublicInbox::Address::from_name($v->raw);
+			my $n = PublicInbox::Address::from_name($v->raw);
+			$title[1] = ascii_html($n);
 		} elsif ($h eq 'Subject') {
 			$title[0] = $v->as_html;
 			if ($srch) {
-- 
cgit v1.2.3-24-ge0c7