From: "W. Trevor King" <wking@tremily.us>
To: notmuch@notmuchmail.org
Cc: Tomi Ollila <tomi.ollila@iki.fi>
Subject: [PATCH v3 5/8] nmbug-status: Escape &, <, and > in HTML display data
Date: Thu, 13 Feb 2014 08:47:20 -0800 [thread overview]
Message-ID: <d0061c00aee8405ca66118025f034fc6f9b0281b.1392309570.git.wking@tremily.us> (raw)
In-Reply-To: <cover.1392309570.git.wking@tremily.us>
In-Reply-To: <cover.1392309570.git.wking@tremily.us>
'message-id' and 'from' now have sensitive characters escaped using
xml.sax.saxutils.escape [1]. The 'subject' data was already being
converted to a link into Gmane; I've escape()d that too, so it doesn't
need to be handled ain the same block as 'message-id' and 'from'.
This prevents broken HTML by if subjects etc. contain characters that
would otherwise be interpreted as HTML markup.
[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
---
devel/nmbug/nmbug-status | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status
index 92552a4..57eec6c 100755
--- a/devel/nmbug/nmbug-status
+++ b/devel/nmbug/nmbug-status
@@ -24,6 +24,7 @@ import os
import re
import sys
import subprocess
+import xml.sax.saxutils
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
@@ -229,11 +230,14 @@ class HtmlPage (Page):
if 'subject' in display_data and 'message-id' in display_data:
d = {
'message-id': quote(display_data['message-id']),
- 'subject': display_data['subject'],
+ 'subject': xml.sax.saxutils.escape(display_data['subject']),
}
display_data['subject'] = (
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
).format(**d)
+ for key in ['message-id', 'from']:
+ if key in display_data:
+ display_data[key] = xml.sax.saxutils.escape(display_data[key])
return (running_data, display_data)
def _slug(self, string):
--
1.8.5.2.8.g0f6c0d1
next prev parent reply other threads:[~2014-02-13 16:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-13 16:47 [PATCH v3 0/8] nmbug-status: Python-3-compatibility and general refactoring W. Trevor King
2014-02-13 16:47 ` [PATCH v3 1/8] nmbug-status: Anchor with h3 ids instead of a names W. Trevor King
2014-02-13 16:47 ` [PATCH v3 2/8] nmbug-status: Slug the title when using it as an id W. Trevor King
2014-02-13 16:47 ` [PATCH v3 3/8] nmbug-status: Use <code> and <p> markup where appropriate W. Trevor King
2014-02-13 16:47 ` [PATCH v3 4/8] nmbug-status: Color threads in HTML output W. Trevor King
2014-02-14 1:58 ` David Bremner
2014-02-14 2:05 ` W. Trevor King
2014-02-13 16:47 ` W. Trevor King [this message]
2014-02-13 16:47 ` [PATCH v3 6/8] nmbug-status: Add inter-message padding W. Trevor King
2014-02-14 2:13 ` David Bremner
2014-02-14 4:07 ` W. Trevor King
2014-02-14 12:40 ` David Bremner
2014-02-13 16:47 ` [PATCH v3 7/8] nmbug-status: Encode output using the user's locale W. Trevor King
2014-02-13 17:42 ` W. Trevor King
2014-02-13 16:47 ` [PATCH v3 8/8] nmbug-status: Hardcode UTF-8 instead of " W. Trevor King
2014-02-13 17:14 ` [PATCH v3 0/8] nmbug-status: Python-3-compatibility and general refactoring Tomi Ollila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0061c00aee8405ca66118025f034fc6f9b0281b.1392309570.git.wking@tremily.us \
--to=wking@tremily.us \
--cc=notmuch@notmuchmail.org \
--cc=tomi.ollila@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).