From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id KOhLMPcZJWNUOQAAbAwnHQ (envelope-from ) for ; Sat, 17 Sep 2022 02:51:03 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id MPNCMPcZJWPuMAAA9RJhRA (envelope-from ) for ; Sat, 17 Sep 2022 02:51:03 +0200 Received: from mail.notmuchmail.org (yantan.tethera.net [IPv6:2a01:4f9:c011:7a79::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4336D2887D for ; Sat, 17 Sep 2022 02:51:03 +0200 (CEST) Received: from yantan.tethera.net (localhost [127.0.0.1]) by mail.notmuchmail.org (Postfix) with ESMTP id A82685F37E; Sat, 17 Sep 2022 00:51:00 +0000 (UTC) Received: from fethera.tethera.net (fethera.tethera.net [IPv6:2607:5300:60:c5::1]) by mail.notmuchmail.org (Postfix) with ESMTP id 1C7645DD5A for ; Sat, 17 Sep 2022 00:50:58 +0000 (UTC) Received: by fethera.tethera.net (Postfix, from userid 1001) id 12D525FBC0; Fri, 16 Sep 2022 20:50:57 -0400 (EDT) Received: (nullmailer pid 2396731 invoked by uid 1000); Sat, 17 Sep 2022 00:50:55 -0000 From: David Bremner To: Jakub Wilk , notmuch@notmuchmail.org Subject: Re: [PATCH] nmweb: escape subject in search view In-Reply-To: <20220905110721.1881015-1-david@tethera.net> References: <20220822064717.qftn4tr7cs4r2ian@jwilk.net> <20220905110721.1881015-1-david@tethera.net> Date: Fri, 16 Sep 2022 21:50:55 -0300 Message-ID: <87mtay9634.fsf@tethera.net> MIME-Version: 1.0 Message-ID-Hash: BSY4N3M5VEVN7XXOLJJBQAIKFPSQCN4I X-Message-ID-Hash: BSY4N3M5VEVN7XXOLJJBQAIKFPSQCN4I X-MailFrom: david@tethera.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: DE ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1663375863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-owner:list-unsubscribe:list-subscribe:list-post; bh=iFxcSQOSvhpXJpLYsQbS0PNkajGQienmHhTerlPmgm4=; b=tsNxXVDwuG3f83HoVrCJVoDq1hvpt0d5DUf78By+E8Tu3syz/cMMFb89EryfwIxzHhUwRm 0XU98SZV8i/j1JBYB8PMnqnI1i3b9JZ67i8XH2hVucKCOGijXgqsjK/4iWl7O5SYDMjRLL 7CLzp5heSubBv3PwghZB30MDcI4lKJTKBFfkqux97YNso2oyllRN5Iw97jOV4ozI6picwE WR7UWIQf0WFY0nc9j8k1Frtakrfu8paI8U7VgVStStbkHp4DnQuk1OJfRz0hJW+2zboNrL yrVeDoNQHNwgx+llmRySF4Mm0v7IZ8bsv/F01GOxNOQfMHInoaApEdCMbUx49A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1663375863; a=rsa-sha256; cv=none; b=DvCUAZp1dLOBIOnNU2xFt5uPY57jpdK4eVMAJz2AuYWlo2qgT2qk3nv44ed4U4jAO1fMjn MPZJcQn+LuyNq2DWb2dwJiMhDMqu3sTFyUTTp2/YqdQ9Bv8PjQhqtYvDuCVq5S4vu5nzCd fmxvTFJRKQb6MjoYfbjKk9se6HQF/5wYWeTrgX3ODyrnEM2bvbxG+q3RRaXZP8ElYxM+b3 ZQtbMqkZvkKxAqdHik8OqHjYdJ+uIrWYZe9x6bbxaZ6P6AZDOVO+xPErNDK25yBA6f93Mc XaQewJOVFIfuDtu6t+GGxdfn1X9UXcplcAylsNwYzMyd9pWFoPvmL2DURCRH4g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Spam-Score: -2.13 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Queue-Id: 4336D2887D X-Spam-Score: -2.13 X-Migadu-Scanner: scn1.migadu.com X-TUID: vQWtZVRD+4wk David Bremner writes: > Fix a bug reported by Jakub Wilk [1]. > > [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net > --- > devel/notmuch-web/nmweb.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py > index 928e4863..7b555c62 100755 > --- a/devel/notmuch-web/nmweb.py > +++ b/devel/notmuch-web/nmweb.py > @@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs > def link_msg(msg): > lnk = quote_plus(msg.messageid.encode('utf8')) > try: > - subj = msg.header('Subject') > + subj = html.escape(msg.header('Subject')) > except LookupError: > subj = "" > out = '%s' % (prefix, lnk, subj) > -- > 2.35.2 I've deployed this patch on nmbug.notmuchmail.org. It seems to do the right thing, at least for Jakub's original reported message. d