From: W. Trevor King <wking@tremily.us>
Date: Thu, 13 Feb 2014 16:47:20 +0000 (+1600)
Subject: [PATCH v3 5/8] nmbug-status: Escape &, <, and > in HTML display data
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=818f4d870286a237d347be21ee9e3f341fe9aced;p=notmuch-archives.git

[PATCH v3 5/8] nmbug-status: Escape &, <, and > in HTML display data
---

diff --git a/96/22d8676650e75e3335b1a8f4f712093428150d b/96/22d8676650e75e3335b1a8f4f712093428150d
new file mode 100644
index 000000000..bd728e375
--- /dev/null
+++ b/96/22d8676650e75e3335b1a8f4f712093428150d
@@ -0,0 +1,114 @@
+Return-Path: <wking@tremily.us>
+X-Original-To: notmuch@notmuchmail.org
+Delivered-To: notmuch@notmuchmail.org
+Received: from localhost (localhost [127.0.0.1])
+	by olra.theworths.org (Postfix) with ESMTP id B4067431FDC
+	for <notmuch@notmuchmail.org>; Thu, 13 Feb 2014 08:51:06 -0800 (PST)
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
+X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
+X-Spam-Flag: NO
+X-Spam-Score: 0
+X-Spam-Level: 
+X-Spam-Status: No, score=0 tagged_above=-999 required=5
+	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001]
+	autolearn=disabled
+Received: from olra.theworths.org ([127.0.0.1])
+	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
+	with ESMTP id g6aYuky8fGis for <notmuch@notmuchmail.org>;
+	Thu, 13 Feb 2014 08:50:59 -0800 (PST)
+Received: from QMTA11.westchester.pa.mail.comcast.net
+	(qmta11.westchester.pa.mail.comcast.net [76.96.59.211])
+	by olra.theworths.org (Postfix) with ESMTP id 525E1431FC2
+	for <notmuch@notmuchmail.org>; Thu, 13 Feb 2014 08:50:47 -0800 (PST)
+Received: from omta20.westchester.pa.mail.comcast.net ([76.96.62.71])
+	by QMTA11.westchester.pa.mail.comcast.net with comcast
+	id Rpnj1n0061YDfWL5Bsqnh7; Thu, 13 Feb 2014 16:50:47 +0000
+Received: from odin.tremily.us ([24.18.63.50])
+	by omta20.westchester.pa.mail.comcast.net with comcast
+	id Rsom1n002152l3L3gsomUZ; Thu, 13 Feb 2014 16:48:47 +0000
+Received: from mjolnir.tremily.us (unknown [192.168.0.140])
+	by odin.tremily.us (Postfix) with ESMTPS id A2FDF102DA08;
+	Thu, 13 Feb 2014 08:48:45 -0800 (PST)
+Received: (nullmailer pid 17991 invoked by uid 1000);
+	Thu, 13 Feb 2014 16:47:29 -0000
+From: "W. Trevor King" <wking@tremily.us>
+To: notmuch@notmuchmail.org
+Subject: [PATCH v3 5/8] nmbug-status: Escape &, <, and > in HTML display data
+Date: Thu, 13 Feb 2014 08:47:20 -0800
+Message-Id:
+ <d0061c00aee8405ca66118025f034fc6f9b0281b.1392309570.git.wking@tremily.us>
+X-Mailer: git-send-email 1.8.5.2.8.g0f6c0d1
+In-Reply-To: <cover.1392309570.git.wking@tremily.us>
+References: <cover.1392309570.git.wking@tremily.us>
+In-Reply-To: <cover.1392309570.git.wking@tremily.us>
+References: <cover.1392309570.git.wking@tremily.us>
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
+	s=q20121106; t=1392310247;
+	bh=VosB/uUJnR+iJHM9vJAxTQQkCLzOFY8hHgWpuzkG6nA=;
+	h=Received:Received:Received:Received:From:To:Subject:Date:
+	Message-Id;
+	b=j/Sq5EHQzKGnUT/d9GzHdgf8k9Fyzk2MYf6xU6ksYG1bUUIU0aYjGb/h80B31KKFm
+	X5aoRVKhoOWMIBOfkB6CfAxBto2KpHOr6anF7n2Y8WMTlPLIN5o5lDpMUR/7wy+5zQ
+	H19fpUIJD92FfIMPHvJwbMw5bvFm2VkZGj0GWl+mV11BHOBWsTGtVy7eSR0SnbmWv/
+	IN4F3hjZGrc4TwN5A2TKeZ3gKRcWxRdXoS/hJmJYksUNCY28rteFAKewdn5EdoROx0
+	pqNDa9Jc1f8thdEwnDAnShWqnJ6FF7Rb5Md+V3LpMqehj043zXR1Y4XG4fcKOg3YKO
+	Ba01YxctFsIOw==
+Cc: Tomi Ollila <tomi.ollila@iki.fi>
+X-BeenThere: notmuch@notmuchmail.org
+X-Mailman-Version: 2.1.13
+Precedence: list
+List-Id: "Use and development of the notmuch mail system."
+	<notmuch.notmuchmail.org>
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>
+List-Post: <mailto:notmuch@notmuchmail.org>
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
+X-List-Received-Date: Thu, 13 Feb 2014 16:51:07 -0000
+
+'message-id' and 'from' now have sensitive characters escaped using
+xml.sax.saxutils.escape [1].  The 'subject' data was already being
+converted to a link into Gmane; I've escape()d that too, so it doesn't
+need to be handled ain the same block as 'message-id' and 'from'.
+
+This prevents broken HTML by if subjects etc. contain characters that
+would otherwise be interpreted as HTML markup.
+
+[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
+---
+ devel/nmbug/nmbug-status | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status
+index 92552a4..57eec6c 100755
+--- a/devel/nmbug/nmbug-status
++++ b/devel/nmbug/nmbug-status
+@@ -24,6 +24,7 @@ import os
+ import re
+ import sys
+ import subprocess
++import xml.sax.saxutils
+ 
+ 
+ _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
+@@ -229,11 +230,14 @@ class HtmlPage (Page):
+         if 'subject' in display_data and 'message-id' in display_data:
+             d = {
+                 'message-id': quote(display_data['message-id']),
+-                'subject': display_data['subject'],
++                'subject': xml.sax.saxutils.escape(display_data['subject']),
+                 }
+             display_data['subject'] = (
+                 '<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
+                 ).format(**d)
++        for key in ['message-id', 'from']:
++            if key in display_data:
++                display_data[key] = xml.sax.saxutils.escape(display_data[key])
+         return (running_data, display_data)
+ 
+     def _slug(self, string):
+-- 
+1.8.5.2.8.g0f6c0d1
+