From: "W. Trevor King" <wking@tremily.us>
To: notmuch@notmuchmail.org
Cc: Tomi Ollila <tomi.ollila@iki.fi>
Subject: [PATCH v2 19/20] nmbug-status: Escape &, <, and > in HTML display data
Date: Mon, 10 Feb 2014 10:40:40 -0800 [thread overview]
Message-ID: <12913effee843bd0edb90829f2a697fefc5715b1.1392056624.git.wking@tremily.us> (raw)
In-Reply-To: <cover.1392056624.git.wking@tremily.us>
In-Reply-To: <cover.1392056624.git.wking@tremily.us>
'message-id' and 'from' now have sensitive characters escaped using
xml.sax.saxutils.escape [1]. The 'subject' data was already being
converted to a link into Gmane; I've escape()d that too, so it doesn't
need to be handled ain the same block as 'message-id' and 'from'.
This prevents broken HTML by if subjects etc. contain characters that
would otherwise be interpreted as HTML markup.
[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
---
devel/nmbug/nmbug-status | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status
index 1f0873a..7209dd1 100755
--- a/devel/nmbug/nmbug-status
+++ b/devel/nmbug/nmbug-status
@@ -24,6 +24,7 @@ import os
import re
import sys
import subprocess
+import xml.sax.saxutils
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
@@ -229,11 +230,14 @@ class HtmlPage (Page):
if 'subject' in display_data and 'message-id' in display_data:
d = {
'message-id': quote(display_data['message-id']),
- 'subject': display_data['subject'],
+ 'subject': xml.sax.saxutils.escape(display_data['subject']),
}
display_data['subject'] = (
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
).format(**d)
+ for key in ['message-id', 'from']:
+ if key in display_data:
+ display_data[key] = xml.sax.saxutils.escape(display_data[key])
return (running_data, display_data)
def _slug(self, string):
--
1.8.5.2.8.g0f6c0d1
next prev parent reply other threads:[~2014-02-10 18:45 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 18:40 [PATCH v2 00/20] nmbug-status: Python-3-compatibility and general refactoring W. Trevor King
2014-02-10 18:40 ` [PATCH v2 01/20] nmbug-status: Convert to Python-3-compatible print functions W. Trevor King
2014-02-10 18:40 ` [PATCH v2 02/20] nmbug-status: Use email.utils instead of rfc822 W. Trevor King
2014-02-10 18:40 ` [PATCH v2 03/20] nmbug-status: Decode Popen output using the user's locale W. Trevor King
2014-02-10 18:40 ` [PATCH v2 04/20] nmbug-status: Factor config-loading out into read_config W. Trevor King
2014-02-10 18:40 ` [PATCH v2 05/20] nmbug-status: Add metavars for --config and --get-query W. Trevor King
2014-02-10 18:40 ` [PATCH v2 06/20] nmbug-status: Consolidate functions and main code W. Trevor King
2014-02-10 18:40 ` [PATCH v2 07/20] nmbug-status: Don't require write access W. Trevor King
2014-02-10 18:40 ` [PATCH v2 08/20] nmbug-status: Consolidate HTML header printing W. Trevor King
2014-02-10 18:40 ` [PATCH v2 09/20] nmbug-status: Add a Python-3-compatible urllib.parse.quote import W. Trevor King
2014-02-10 18:40 ` [PATCH v2 10/20] nmbug-status: Add Page and HtmlPage for modular rendering W. Trevor King
2014-02-10 18:40 ` [PATCH v2 11/20] nmbug-status: Add an OrderedDict stub for Python 2.6 W. Trevor King
2014-02-10 18:40 ` [PATCH v2 12/20] nmbug-status: Normalize table HTML indentation W. Trevor King
2014-02-10 18:40 ` [PATCH v2 13/20] nmbug-status: Convert from XHTML 1.0 to HTML 5 W. Trevor King
2014-02-12 23:35 ` David Bremner
2014-02-13 2:06 ` W. Trevor King
2014-02-13 7:30 ` Tomi Ollila
2014-02-10 18:40 ` [PATCH v2 14/20] nmbug-status: Encode output using the user's locale W. Trevor King
2014-02-11 12:12 ` David Bremner
2014-02-11 14:14 ` Tomi Ollila
2014-02-11 20:11 ` W. Trevor King
2014-02-11 22:02 ` David Bremner
2014-02-11 22:33 ` W. Trevor King
2014-02-13 2:13 ` David Bremner
2014-02-13 2:35 ` W. Trevor King
2014-02-13 11:47 ` David Bremner
2014-02-10 18:40 ` [PATCH v2 15/20] nmbug-status: Anchor with h3 ids instead of a names W. Trevor King
2014-02-10 18:40 ` [PATCH v2 16/20] nmbug-status: Slug the title when using it as an id W. Trevor King
2014-02-10 18:40 ` [PATCH v2 17/20] nmbug-status: Use <code> and <p> markup where appropriate W. Trevor King
2014-02-10 18:40 ` [PATCH v2 18/20] nmbug-status: Color threads in HTML output W. Trevor King
2014-02-10 18:40 ` W. Trevor King [this message]
2014-02-10 18:40 ` [PATCH v2 20/20] nmbug-status: Add inter-message padding W. Trevor King
2014-02-10 20:29 ` [PATCH v2 00/20] nmbug-status: Python-3-compatibility and general refactoring Tomi Ollila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12913effee843bd0edb90829f2a697fefc5715b1.1392056624.git.wking@tremily.us \
--to=wking@tremily.us \
--cc=notmuch@notmuchmail.org \
--cc=tomi.ollila@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).