diff options
author | Eric Wong <e@80x24.org> | 2023-11-27 10:23:48 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2023-11-27 21:25:46 +0000 |
commit | 577e421a0815e66f965bd4317adad5aeea3cc52a (patch) | |
tree | c53ac7d844f0134138ada0605dc6ac0368d4a40b /lib/PublicInbox/SearchIdx.pm | |
parent | bedd1b759b3bcaa471bffc97391d8c04cdcbd550 (diff) | |
download | public-inbox-577e421a0815e66f965bd4317adad5aeea3cc52a.tar.gz |
Our use of MID_ESC characters was only intended for the pathname component of URIs and not appropriate for the query string component. So use a different $unsafe parameter list for uri_escape to make the result appropriate for query strings by disallowing [\&\'\+=] characters. Most notably, this change also allows us to accept `/' (slash) unescaped to make dfn: queries nicer to look at. Finally, we'll also add a ascii_html call on the URI-escaped result as an extra safety measure even though it's not really needed. As far as I can tell, the code without this fix didn't result in in an HTML injection since all our uses of uri_escape did escape angle brackets. Reported-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com> Link: https://public-inbox.org/meta/87o7ff4nlk.fsf@collabora.com/ Tested-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
Diffstat (limited to 'lib/PublicInbox/SearchIdx.pm')
0 files changed, 0 insertions, 0 deletions