From 1fee6f86d7ee78161cc48a00232654f13a14bb88 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 15 Feb 2020 09:46:39 +0000 Subject: view: escape ampersand in Message-IDs We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers. --- lib/PublicInbox/Hval.pm | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'lib/PublicInbox/Hval.pm') diff --git a/lib/PublicInbox/Hval.pm b/lib/PublicInbox/Hval.pm index 2e883f81..40c97da4 100644 --- a/lib/PublicInbox/Hval.pm +++ b/lib/PublicInbox/Hval.pm @@ -10,7 +10,7 @@ use Encode qw(find_encoding); use PublicInbox::MID qw/mid_clean mid_escape/; use base qw/Exporter/; our @EXPORT_OK = qw/ascii_html obfuscate_addrs to_filename src_escape - to_attr prurl/; + to_attr prurl mid_href/; my $enc_ascii = find_encoding('us-ascii'); # safe-ish acceptable filename pattern for portability @@ -27,10 +27,7 @@ sub new { }, $class; } -sub new_msgid { - my ($class, $msgid) = @_; - $class->new($msgid, mid_escape($msgid)); -} +sub mid_href { ascii_html(mid_escape($_[0])) } # some of these overrides are standard C escapes so they're # easy-to-understand when rendered. -- cgit v1.2.3-24-ge0c7