From a1c3dae7ead1134f7e47e53565b5eb30b925ad77 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Tue, 11 Feb 2014 10:40:40 +1600
Subject: [PATCH] [PATCH v2 19/20] nmbug-status: Escape &, <, and > in HTML
 display data

---
 04/e898c3d8b18ebb03846569fcd6e1eae4ce6563 | 115 ++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 04/e898c3d8b18ebb03846569fcd6e1eae4ce6563

diff --git a/04/e898c3d8b18ebb03846569fcd6e1eae4ce6563 b/04/e898c3d8b18ebb03846569fcd6e1eae4ce6563
new file mode 100644
index 000000000..0f2a92f7d
--- /dev/null
+++ b/04/e898c3d8b18ebb03846569fcd6e1eae4ce6563
@@ -0,0 +1,115 @@
+Return-Path: <wking@tremily.us>
+X-Original-To: notmuch@notmuchmail.org
+Delivered-To: notmuch@notmuchmail.org
+Received: from localhost (localhost [127.0.0.1])
+	by olra.theworths.org (Postfix) with ESMTP id 19A31431FBD
+	for <notmuch@notmuchmail.org>; Mon, 10 Feb 2014 10:45:06 -0800 (PST)
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
+X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
+X-Spam-Flag: NO
+X-Spam-Score: 0
+X-Spam-Level: 
+X-Spam-Status: No, score=0 tagged_above=-999 required=5
+	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001]
+	autolearn=disabled
+Received: from olra.theworths.org ([127.0.0.1])
+	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
+	with ESMTP id Rz07LLOJSNRT for <notmuch@notmuchmail.org>;
+	Mon, 10 Feb 2014 10:45:00 -0800 (PST)
+Received: from qmta09.westchester.pa.mail.comcast.net
+	(qmta09.westchester.pa.mail.comcast.net [76.96.62.96])
+	by olra.theworths.org (Postfix) with ESMTP id 68578429E3F
+	for <notmuch@notmuchmail.org>; Mon, 10 Feb 2014 10:44:02 -0800 (PST)
+Received: from omta04.westchester.pa.mail.comcast.net ([76.96.62.35])
+	by qmta09.westchester.pa.mail.comcast.net with comcast
+	id Qd6M1n0030ldTLk59ik2ML; Mon, 10 Feb 2014 18:44:02 +0000
+Received: from odin.tremily.us ([24.18.63.50])
+	by omta04.westchester.pa.mail.comcast.net with comcast
+	id Qii11n00F152l3L01ii1x1; Mon, 10 Feb 2014 18:42:02 +0000
+Received: from mjolnir.tremily.us (unknown [192.168.0.140])
+	by odin.tremily.us (Postfix) with ESMTPS id 0234010167C7;
+	Mon, 10 Feb 2014 10:42:01 -0800 (PST)
+Received: (nullmailer pid 1285 invoked by uid 1000);
+	Mon, 10 Feb 2014 18:40:46 -0000
+From: "W. Trevor King" <wking@tremily.us>
+To: notmuch@notmuchmail.org
+Subject: [PATCH v2 19/20] nmbug-status: Escape &, <, and > in HTML display
+ data
+Date: Mon, 10 Feb 2014 10:40:40 -0800
+Message-Id:
+ <12913effee843bd0edb90829f2a697fefc5715b1.1392056624.git.wking@tremily.us>
+X-Mailer: git-send-email 1.8.5.2.8.g0f6c0d1
+In-Reply-To: <cover.1392056624.git.wking@tremily.us>
+References: <cover.1392056624.git.wking@tremily.us>
+In-Reply-To: <cover.1392056624.git.wking@tremily.us>
+References: <cover.1392056624.git.wking@tremily.us>
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
+	s=q20121106; t=1392057842;
+	bh=JkclE6rFHN+/nSNV2UZNQWAAGqczyXMc3ejEIf4/27E=;
+	h=Received:Received:Received:Received:From:To:Subject:Date:
+	Message-Id;
+	b=PhdcK6lIRhqN0lTREV4tUMt7lpT6PQrYy1DYlt6+4o7n6oMZVawOJH3nKKx5CrNPl
+	j67IYaUzBT6JyHd6l6W44nwHj/ZJD581PGyDWK9kmrIkXEXpW/5WotcR3S8S5rMu1G
+	0aKpKj7xVsWiw71Z2x8pqN7g8LQ+iEmnaIbkkPxsyyfz0eYrLknxoksD62I4SL2VD7
+	i/S3+PuNrw0lFt5D/kMsfUYijmeSrM12tbQcLhvvIB6k4hJBgPlNtiXKLzhP8ip2CA
+	W79znEpX5tQk1Vrs7F/BltvHJ0+MWIdT2w5kjNI9W7OcNWQKvdmiMbWk7hR7VzhiLa
+	wZT8SVv69Gl9A==
+Cc: Tomi Ollila <tomi.ollila@iki.fi>
+X-BeenThere: notmuch@notmuchmail.org
+X-Mailman-Version: 2.1.13
+Precedence: list
+List-Id: "Use and development of the notmuch mail system."
+	<notmuch.notmuchmail.org>
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>
+List-Post: <mailto:notmuch@notmuchmail.org>
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
+X-List-Received-Date: Mon, 10 Feb 2014 18:45:06 -0000
+
+'message-id' and 'from' now have sensitive characters escaped using
+xml.sax.saxutils.escape [1].  The 'subject' data was already being
+converted to a link into Gmane; I've escape()d that too, so it doesn't
+need to be handled ain the same block as 'message-id' and 'from'.
+
+This prevents broken HTML by if subjects etc. contain characters that
+would otherwise be interpreted as HTML markup.
+
+[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
+---
+ devel/nmbug/nmbug-status | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status
+index 1f0873a..7209dd1 100755
+--- a/devel/nmbug/nmbug-status
++++ b/devel/nmbug/nmbug-status
+@@ -24,6 +24,7 @@ import os
+ import re
+ import sys
+ import subprocess
++import xml.sax.saxutils
+ 
+ 
+ _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
+@@ -229,11 +230,14 @@ class HtmlPage (Page):
+         if 'subject' in display_data and 'message-id' in display_data:
+             d = {
+                 'message-id': quote(display_data['message-id']),
+-                'subject': display_data['subject'],
++                'subject': xml.sax.saxutils.escape(display_data['subject']),
+                 }
+             display_data['subject'] = (
+                 '<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
+                 ).format(**d)
++        for key in ['message-id', 'from']:
++            if key in display_data:
++                display_data[key] = xml.sax.saxutils.escape(display_data[key])
+         return (running_data, display_data)
+ 
+     def _slug(self, string):
+-- 
+1.8.5.2.8.g0f6c0d1
+
-- 
2.26.2