* [PATCH] www: escape HTML in footer description
@ 2016-06-17 19:09 Eric Wong
0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-06-17 19:09 UTC (permalink / raw)
To: meta
This isn't a security vulnerability since $GIT_DIR/description
is controlled by the admin; but it causes the footer to
misrender.
---
lib/PublicInbox/WWW.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index c25deff..78b8826 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -15,6 +15,7 @@ use strict;
use warnings;
use Plack::Request;
use PublicInbox::Config;
+use PublicInbox::Hval;
use URI::Escape qw(uri_escape_utf8 uri_unescape);
use constant SSOMA_URL => '//ssoma.public-inbox.org/';
use constant PI_URL => '//public-inbox.org/';
@@ -255,6 +256,7 @@ sub footer {
# auto-generate a footer
chomp(my $desc = $obj->description);
+ $desc = PublicInbox::Hval::ascii_html($desc);
my $urls;
my @urls = @{$obj->cloneurl};
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-17 19:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-17 19:09 [PATCH] www: escape HTML in footer description Eric Wong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).