nmbug-status: Escape &, <, and > in HTML display data

'message-id' and 'from' now have sensitive characters escaped using xml.sax.saxutils.escape [1]. The 'subject' data was already being converted to a link into Gmane; I've escape()d that too, so it doesn't need to be handled ain the same block as 'message-id' and 'from'. This prevents broken HTML by if subjects etc. contain characters that would otherwise be interpreted as HTML markup. [1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
2024-12-22 17:34:54 +01:00 · 2014-02-13 08:47:20 -08:00 · 2014-02-13 08:47:20 -08:00 · aaa7f0d92e
commit aaa7f0d92e
parent aa32d2579b
1 changed files with 5 additions and 1 deletions
--- a/devel/nmbug/nmbug-status
+++ b/devel/nmbug/nmbug-status
@ -24,6 +24,7 @@ import os
 import re
 import sys
 import subprocess
+import xml.sax.saxutils


 _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
@ -226,11 +227,14 @@ class HtmlPage (Page):
        if 'subject' in display_data and 'message-id' in display_data:
            d = {
                'message-id': quote(display_data['message-id']),
-                'subject': display_data['subject'],
+                'subject': xml.sax.saxutils.escape(display_data['subject']),
                }
            display_data['subject'] = (
                '<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
                ).format(**d)
+        for key in ['message-id', 'from']:
+            if key in display_data:
+                display_data[key] = xml.sax.saxutils.escape(display_data[key])
        return (running_data, display_data)

    def _slug(self, string):