From 1fee6f86d7ee78161cc48a00232654f13a14bb88 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 15 Feb 2020 09:46:39 +0000 Subject: view: escape ampersand in Message-IDs We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers. --- lib/PublicInbox/WwwAtomStream.pm | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'lib/PublicInbox/WwwAtomStream.pm') diff --git a/lib/PublicInbox/WwwAtomStream.pm b/lib/PublicInbox/WwwAtomStream.pm index 658934a2..aa917ed8 100644 --- a/lib/PublicInbox/WwwAtomStream.pm +++ b/lib/PublicInbox/WwwAtomStream.pm @@ -12,8 +12,7 @@ use warnings; use POSIX qw(strftime); use Digest::SHA qw(sha1_hex); use PublicInbox::Address; -use PublicInbox::Hval qw(ascii_html); -use PublicInbox::MID qw(mid_escape); +use PublicInbox::Hval qw(ascii_html mid_href); use PublicInbox::MsgTime qw(msg_timestamp); # called by PSGI server after getline: @@ -71,7 +70,7 @@ sub atom_header { my $mid = $ctx->{mid}; my $page_id; if (defined $mid) { # per-thread - $self_url .= mid_escape($mid).'/t.atom'; + $self_url .= mid_href($mid).'/t.atom'; $page_id = to_uuid("t\n".$mid) } elsif (defined $search_q) { my $query = $search_q->{'q'}; @@ -109,13 +108,13 @@ sub feed_entry { my $base = $ctx->{feed_base_url}; if (defined $irt) { my $irt_uuid = to_uuid($irt); - $irt = mid_escape($irt); + $irt = mid_href($irt); $irt = qq(); } else { $irt = ''; } - my $href = $base . mid_escape($mid) . '/'; + my $href = $base . mid_href($mid) . '/'; my $t = msg_timestamp($hdr); my @t = gmtime(defined $t ? $t : time); my $updated = feed_updated(@t); -- cgit v1.2.3-24-ge0c7