diff options
author | Eric Wong <e@80x24.org> | 2019-06-04 10:38:20 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2019-06-04 10:38:20 +0000 |
commit | e56b908c0e97c2f479b350dfb0868bc463413b89 (patch) | |
tree | 6b8a8fc59840ebc3e6bee1bbb2e3a5e568bce351 /lib/PublicInbox/Linkify.pm | |
parent | d5c56e2a1adde279ff86fbd0be81a6b7e5ba0896 (diff) | |
parent | 91af69a41f2963f1f952cb0932ed23cd86cd1093 (diff) | |
download | public-inbox-e56b908c0e97c2f479b350dfb0868bc463413b89.tar.gz |
* charclass: (24 commits) www: require ASCII word characters for CSS filenames www: require ASCII range for mbox downloads githttpbackend: require ASCII in path require ASCII digits for local FS items www: require ASCII digit for git epoch solver|viewdiff: restrict digit matches to ASCII inbox: require ASCII digits for feedmax var filter/rubylang: require ASCII digit for mailcount msgtime: require ASCII digits for parsing dates searchview: do not allow non-ASCII offsets and limits githttpbackend: require Range:, Status: to be ASCII digits view: require YYYYmmDD(HHMMSS) timestamps to be ASCII newswww: only accept ASCII digits as article numbers config: do not accept non-ASCII digits in cgitrc params www: require ASCII filenames in git blob downloads www: only emit ASCII chars in attachment filenames wwwattach: only pass the charset through if ASCII wwwlisting: require ASCII digit for port number http: require SERVER_PORT to be ASCII digit feed: only accept ASCII digits for ref~$N ...
Diffstat (limited to 'lib/PublicInbox/Linkify.pm')
-rw-r--r-- | lib/PublicInbox/Linkify.pm | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/PublicInbox/Linkify.pm b/lib/PublicInbox/Linkify.pm index d4778e7d..84960a98 100644 --- a/lib/PublicInbox/Linkify.pm +++ b/lib/PublicInbox/Linkify.pm @@ -13,6 +13,7 @@ package PublicInbox::Linkify; use strict; use warnings; use Digest::SHA qw/sha1_hex/; +use PublicInbox::Hval qw(ascii_html); my $SALT = rand; my $LINK_RE = qr{([\('!])?\b((?:ftps?|https?|nntps?|gopher):// @@ -61,12 +62,12 @@ sub linkify_1 { $end = ')'; } + $url = ascii_html($url); # for IDN + # salt this, as this could be exploited to show # links in the HTML which don't show up in the raw mail. my $key = sha1_hex($url . $SALT); - # only escape ampersands, others do not match LINK_RE - $url =~ s/&/&/g; $_[0]->{$key} = $url; $beg . 'PI-LINK-'. $key . $end; ^ge; |