mirror of
https://git.notmuchmail.org/git/notmuch
synced 2024-12-23 01:44:52 +01:00
nmbug-status: Escape &, <, and > in HTML display data
'message-id' and 'from' now have sensitive characters escaped using xml.sax.saxutils.escape [1]. The 'subject' data was already being converted to a link into Gmane; I've escape()d that too, so it doesn't need to be handled ain the same block as 'message-id' and 'from'. This prevents broken HTML by if subjects etc. contain characters that would otherwise be interpreted as HTML markup. [1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
This commit is contained in:
parent
aa32d2579b
commit
aaa7f0d92e
1 changed files with 5 additions and 1 deletions
|
@ -24,6 +24,7 @@ import os
|
||||||
import re
|
import re
|
||||||
import sys
|
import sys
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import xml.sax.saxutils
|
||||||
|
|
||||||
|
|
||||||
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
|
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
|
||||||
|
@ -226,11 +227,14 @@ class HtmlPage (Page):
|
||||||
if 'subject' in display_data and 'message-id' in display_data:
|
if 'subject' in display_data and 'message-id' in display_data:
|
||||||
d = {
|
d = {
|
||||||
'message-id': quote(display_data['message-id']),
|
'message-id': quote(display_data['message-id']),
|
||||||
'subject': display_data['subject'],
|
'subject': xml.sax.saxutils.escape(display_data['subject']),
|
||||||
}
|
}
|
||||||
display_data['subject'] = (
|
display_data['subject'] = (
|
||||||
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
|
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
|
||||||
).format(**d)
|
).format(**d)
|
||||||
|
for key in ['message-id', 'from']:
|
||||||
|
if key in display_data:
|
||||||
|
display_data[key] = xml.sax.saxutils.escape(display_data[key])
|
||||||
return (running_data, display_data)
|
return (running_data, display_data)
|
||||||
|
|
||||||
def _slug(self, string):
|
def _slug(self, string):
|
||||||
|
|
Loading…
Reference in a new issue