From 92f27ed0be327ab6acb61aeedf7a77702cc6c25f Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 14 Mar 2017 21:23:39 +0000
Subject: view: escape HTML description name

Otherwise funky filenames can cause HTML injection
vulnerabilities (hope you have JavaScript disabled!)
---
 t/view.t | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 't')

diff --git a/t/view.t b/t/view.t
index 46fbe410..2181b5ef 100644
--- a/t/view.t
+++ b/t/view.t
@@ -124,7 +124,7 @@ EOF
 		Email::MIME->create(
 			attributes => {
 				content_type => 'text/plain',
-				filename => "foo.patch",
+				filename => "foo&.patch",
 			},
 			body => "--- a/file\n+++ b/file\n" .
 			        "@@ -49, 7 +49,34 @@\n",
@@ -140,7 +140,7 @@ EOF
 	);
 
 	my $html = msg_html($mime);
-	like($html, qr!.*Attachment #2: foo\.patch --!,
+	like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!,
 		"parts split with filename");
 }
 
-- 
cgit v1.2.3-24-ge0c7