From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wking@tremily.us>
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id B4067431FDC
	for <notmuch@notmuchmail.org>; Thu, 13 Feb 2014 08:51:06 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 tagged_above=-999 required=5
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001]
	autolearn=disabled
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id g6aYuky8fGis for <notmuch@notmuchmail.org>;
	Thu, 13 Feb 2014 08:50:59 -0800 (PST)
Received: from QMTA11.westchester.pa.mail.comcast.net
	(qmta11.westchester.pa.mail.comcast.net [76.96.59.211])
	by olra.theworths.org (Postfix) with ESMTP id 525E1431FC2
	for <notmuch@notmuchmail.org>; Thu, 13 Feb 2014 08:50:47 -0800 (PST)
Received: from omta20.westchester.pa.mail.comcast.net ([76.96.62.71])
	by QMTA11.westchester.pa.mail.comcast.net with comcast
	id Rpnj1n0061YDfWL5Bsqnh7; Thu, 13 Feb 2014 16:50:47 +0000
Received: from odin.tremily.us ([24.18.63.50])
	by omta20.westchester.pa.mail.comcast.net with comcast
	id Rsom1n002152l3L3gsomUZ; Thu, 13 Feb 2014 16:48:47 +0000
Received: from mjolnir.tremily.us (unknown [192.168.0.140])
	by odin.tremily.us (Postfix) with ESMTPS id A2FDF102DA08;
	Thu, 13 Feb 2014 08:48:45 -0800 (PST)
Received: (nullmailer pid 17991 invoked by uid 1000);
	Thu, 13 Feb 2014 16:47:29 -0000
From: "W. Trevor King" <wking@tremily.us>
To: notmuch@notmuchmail.org
Subject: [PATCH v3 5/8] nmbug-status: Escape &, <, and > in HTML display data
Date: Thu, 13 Feb 2014 08:47:20 -0800
Message-Id: <d0061c00aee8405ca66118025f034fc6f9b0281b.1392309570.git.wking@tremily.us>
X-Mailer: git-send-email 1.8.5.2.8.g0f6c0d1
In-Reply-To: <cover.1392309570.git.wking@tremily.us>
References: <cover.1392309570.git.wking@tremily.us>
In-Reply-To: <cover.1392309570.git.wking@tremily.us>
References: <cover.1392309570.git.wking@tremily.us>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
	s=q20121106; t=1392310247;
	bh=VosB/uUJnR+iJHM9vJAxTQQkCLzOFY8hHgWpuzkG6nA=;
	h=Received:Received:Received:Received:From:To:Subject:Date:
	Message-Id;
	b=j/Sq5EHQzKGnUT/d9GzHdgf8k9Fyzk2MYf6xU6ksYG1bUUIU0aYjGb/h80B31KKFm
	X5aoRVKhoOWMIBOfkB6CfAxBto2KpHOr6anF7n2Y8WMTlPLIN5o5lDpMUR/7wy+5zQ
	H19fpUIJD92FfIMPHvJwbMw5bvFm2VkZGj0GWl+mV11BHOBWsTGtVy7eSR0SnbmWv/
	IN4F3hjZGrc4TwN5A2TKeZ3gKRcWxRdXoS/hJmJYksUNCY28rteFAKewdn5EdoROx0
	pqNDa9Jc1f8thdEwnDAnShWqnJ6FF7Rb5Md+V3LpMqehj043zXR1Y4XG4fcKOg3YKO
	Ba01YxctFsIOw==
Cc: Tomi Ollila <tomi.ollila@iki.fi>
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 16:51:07 -0000

'message-id' and 'from' now have sensitive characters escaped using
xml.sax.saxutils.escape [1].  The 'subject' data was already being
converted to a link into Gmane; I've escape()d that too, so it doesn't
need to be handled ain the same block as 'message-id' and 'from'.

This prevents broken HTML by if subjects etc. contain characters that
would otherwise be interpreted as HTML markup.

[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
---
 devel/nmbug/nmbug-status | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status
index 92552a4..57eec6c 100755
--- a/devel/nmbug/nmbug-status
+++ b/devel/nmbug/nmbug-status
@@ -24,6 +24,7 @@ import os
 import re
 import sys
 import subprocess
+import xml.sax.saxutils
 
 
 _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
@@ -229,11 +230,14 @@ class HtmlPage (Page):
         if 'subject' in display_data and 'message-id' in display_data:
             d = {
                 'message-id': quote(display_data['message-id']),
-                'subject': display_data['subject'],
+                'subject': xml.sax.saxutils.escape(display_data['subject']),
                 }
             display_data['subject'] = (
                 '<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
                 ).format(**d)
+        for key in ['message-id', 'from']:
+            if key in display_data:
+                display_data[key] = xml.sax.saxutils.escape(display_data[key])
         return (running_data, display_data)
 
     def _slug(self, string):
-- 
1.8.5.2.8.g0f6c0d1