From 38a90ce29cb9cae6f045f516ef160d8e6accdd21 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 17 Jun 2016 18:56:02 +0000
Subject: www: escape HTML in footer description

This isn't a security vulnerability since $GIT_DIR/description
is controlled by the admin; but it causes the footer to
misrender.
---
 lib/PublicInbox/WWW.pm | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lib/PublicInbox/WWW.pm')

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index c25deff3..78b8826e 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -15,6 +15,7 @@ use strict;
 use warnings;
 use Plack::Request;
 use PublicInbox::Config;
+use PublicInbox::Hval;
 use URI::Escape qw(uri_escape_utf8 uri_unescape);
 use constant SSOMA_URL => '//ssoma.public-inbox.org/';
 use constant PI_URL => '//public-inbox.org/';
@@ -255,6 +256,7 @@ sub footer {
 
 	# auto-generate a footer
 	chomp(my $desc = $obj->description);
+	$desc = PublicInbox::Hval::ascii_html($desc);
 
 	my $urls;
 	my @urls = @{$obj->cloneurl};
-- 
cgit v1.2.3-24-ge0c7