From 92f27ed0be327ab6acb61aeedf7a77702cc6c25f Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 14 Mar 2017 21:23:39 +0000
Subject: view: escape HTML description name

Otherwise funky filenames can cause HTML injection
vulnerabilities (hope you have JavaScript disabled!)
---
 lib/PublicInbox/View.pm | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/PublicInbox')

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 0b1ec75b..9ef4712f 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -438,6 +438,7 @@ sub attach_link ($$$$;$) {
 	}
 	$ret .= "[-- Attachment #$idx: ";
 	my $ts = "Type: $ct, Size: $size bytes";
+	$desc = ascii_html($desc);
 	$ret .= ($desc eq '') ? "$ts --]" : "$desc --]\n[-- $ts --]";
 	$ret .= "</a>\n";
 }
-- 
cgit v1.2.3-24-ge0c7