* nmweb HTML injection
@ 2022-08-22 6:47 Jakub Wilk
2022-08-22 8:35 ` Michael J Gruber
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
0 siblings, 2 replies; 5+ messages in thread
From: Jakub Wilk @ 2022-08-22 6:47 UTC (permalink / raw)
To: notmuch
See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate
<code> and <p> from the mail subject was dumped without escaping into HTML.
--
Jakub Wilk
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nmweb HTML injection
2022-08-22 6:47 nmweb HTML injection Jakub Wilk
@ 2022-08-22 8:35 ` Michael J Gruber
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
1 sibling, 0 replies; 5+ messages in thread
From: Michael J Gruber @ 2022-08-22 8:35 UTC (permalink / raw)
To: Jakub Wilk; +Cc: notmuch
Am Mo., 22. Aug. 2022 um 09:22 Uhr schrieb Jakub Wilk <jwilk@jwilk.net>:
>
> See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate
>
> <code> and <p> from the mail subject was dumped without escaping into HTML.
>
Interesting :)
The body is htmlescape()ed, but the subject header is used as is. I
should be escaped too.
Michael
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] nmweb: escape subject in search view
2022-08-22 6:47 nmweb HTML injection Jakub Wilk
2022-08-22 8:35 ` Michael J Gruber
@ 2022-09-05 11:07 ` David Bremner
2022-09-17 0:50 ` David Bremner
2022-09-23 23:21 ` David Bremner
1 sibling, 2 replies; 5+ messages in thread
From: David Bremner @ 2022-09-05 11:07 UTC (permalink / raw)
To: Jakub Wilk, notmuch
Fix a bug reported by Jakub Wilk [1].
[1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
---
devel/notmuch-web/nmweb.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
index 928e4863..7b555c62 100755
--- a/devel/notmuch-web/nmweb.py
+++ b/devel/notmuch-web/nmweb.py
@@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
def link_msg(msg):
lnk = quote_plus(msg.messageid.encode('utf8'))
try:
- subj = msg.header('Subject')
+ subj = html.escape(msg.header('Subject'))
except LookupError:
subj = ""
out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
--
2.35.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] nmweb: escape subject in search view
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
@ 2022-09-17 0:50 ` David Bremner
2022-09-23 23:21 ` David Bremner
1 sibling, 0 replies; 5+ messages in thread
From: David Bremner @ 2022-09-17 0:50 UTC (permalink / raw)
To: Jakub Wilk, notmuch
David Bremner <david@tethera.net> writes:
> Fix a bug reported by Jakub Wilk [1].
>
> [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
> ---
> devel/notmuch-web/nmweb.py | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
> index 928e4863..7b555c62 100755
> --- a/devel/notmuch-web/nmweb.py
> +++ b/devel/notmuch-web/nmweb.py
> @@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
> def link_msg(msg):
> lnk = quote_plus(msg.messageid.encode('utf8'))
> try:
> - subj = msg.header('Subject')
> + subj = html.escape(msg.header('Subject'))
> except LookupError:
> subj = ""
> out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
> --
> 2.35.2
I've deployed this patch on nmbug.notmuchmail.org. It seems to do the
right thing, at least for Jakub's original reported message.
d
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] nmweb: escape subject in search view
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
2022-09-17 0:50 ` David Bremner
@ 2022-09-23 23:21 ` David Bremner
1 sibling, 0 replies; 5+ messages in thread
From: David Bremner @ 2022-09-23 23:21 UTC (permalink / raw)
To: Jakub Wilk, notmuch
David Bremner <david@tethera.net> writes:
> Fix a bug reported by Jakub Wilk [1].
>
> [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
applied to master
d
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-23 23:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-22 6:47 nmweb HTML injection Jakub Wilk
2022-08-22 8:35 ` Michael J Gruber
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
2022-09-17 0:50 ` David Bremner
2022-09-23 23:21 ` David Bremner
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).