--- /dev/null
+Return-Path: <wking@tremily.us>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by olra.theworths.org (Postfix) with ESMTP id 19A31431FBD\r
+ for <notmuch@notmuchmail.org>; Mon, 10 Feb 2014 10:45:06 -0800 (PST)\r
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
+X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"\r
+X-Spam-Flag: NO\r
+X-Spam-Score: 0\r
+X-Spam-Level: \r
+X-Spam-Status: No, score=0 tagged_above=-999 required=5\r
+ tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001]\r
+ autolearn=disabled\r
+Received: from olra.theworths.org ([127.0.0.1])\r
+ by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id Rz07LLOJSNRT for <notmuch@notmuchmail.org>;\r
+ Mon, 10 Feb 2014 10:45:00 -0800 (PST)\r
+Received: from qmta09.westchester.pa.mail.comcast.net\r
+ (qmta09.westchester.pa.mail.comcast.net [76.96.62.96])\r
+ by olra.theworths.org (Postfix) with ESMTP id 68578429E3F\r
+ for <notmuch@notmuchmail.org>; Mon, 10 Feb 2014 10:44:02 -0800 (PST)\r
+Received: from omta04.westchester.pa.mail.comcast.net ([76.96.62.35])\r
+ by qmta09.westchester.pa.mail.comcast.net with comcast\r
+ id Qd6M1n0030ldTLk59ik2ML; Mon, 10 Feb 2014 18:44:02 +0000\r
+Received: from odin.tremily.us ([24.18.63.50])\r
+ by omta04.westchester.pa.mail.comcast.net with comcast\r
+ id Qii11n00F152l3L01ii1x1; Mon, 10 Feb 2014 18:42:02 +0000\r
+Received: from mjolnir.tremily.us (unknown [192.168.0.140])\r
+ by odin.tremily.us (Postfix) with ESMTPS id 0234010167C7;\r
+ Mon, 10 Feb 2014 10:42:01 -0800 (PST)\r
+Received: (nullmailer pid 1285 invoked by uid 1000);\r
+ Mon, 10 Feb 2014 18:40:46 -0000\r
+From: "W. Trevor King" <wking@tremily.us>\r
+To: notmuch@notmuchmail.org\r
+Subject: [PATCH v2 19/20] nmbug-status: Escape &, <, and > in HTML display\r
+ data\r
+Date: Mon, 10 Feb 2014 10:40:40 -0800\r
+Message-Id:\r
+ <12913effee843bd0edb90829f2a697fefc5715b1.1392056624.git.wking@tremily.us>\r
+X-Mailer: git-send-email 1.8.5.2.8.g0f6c0d1\r
+In-Reply-To: <cover.1392056624.git.wking@tremily.us>\r
+References: <cover.1392056624.git.wking@tremily.us>\r
+In-Reply-To: <cover.1392056624.git.wking@tremily.us>\r
+References: <cover.1392056624.git.wking@tremily.us>\r
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;\r
+ s=q20121106; t=1392057842;\r
+ bh=JkclE6rFHN+/nSNV2UZNQWAAGqczyXMc3ejEIf4/27E=;\r
+ h=Received:Received:Received:Received:From:To:Subject:Date:\r
+ Message-Id;\r
+ b=PhdcK6lIRhqN0lTREV4tUMt7lpT6PQrYy1DYlt6+4o7n6oMZVawOJH3nKKx5CrNPl\r
+ j67IYaUzBT6JyHd6l6W44nwHj/ZJD581PGyDWK9kmrIkXEXpW/5WotcR3S8S5rMu1G\r
+ 0aKpKj7xVsWiw71Z2x8pqN7g8LQ+iEmnaIbkkPxsyyfz0eYrLknxoksD62I4SL2VD7\r
+ i/S3+PuNrw0lFt5D/kMsfUYijmeSrM12tbQcLhvvIB6k4hJBgPlNtiXKLzhP8ip2CA\r
+ W79znEpX5tQk1Vrs7F/BltvHJ0+MWIdT2w5kjNI9W7OcNWQKvdmiMbWk7hR7VzhiLa\r
+ wZT8SVv69Gl9A==\r
+Cc: Tomi Ollila <tomi.ollila@iki.fi>\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.13\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Mon, 10 Feb 2014 18:45:06 -0000\r
+\r
+'message-id' and 'from' now have sensitive characters escaped using\r
+xml.sax.saxutils.escape [1]. The 'subject' data was already being\r
+converted to a link into Gmane; I've escape()d that too, so it doesn't\r
+need to be handled ain the same block as 'message-id' and 'from'.\r
+\r
+This prevents broken HTML by if subjects etc. contain characters that\r
+would otherwise be interpreted as HTML markup.\r
+\r
+[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape\r
+---\r
+ devel/nmbug/nmbug-status | 6 +++++-\r
+ 1 file changed, 5 insertions(+), 1 deletion(-)\r
+\r
+diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status\r
+index 1f0873a..7209dd1 100755\r
+--- a/devel/nmbug/nmbug-status\r
++++ b/devel/nmbug/nmbug-status\r
+@@ -24,6 +24,7 @@ import os\r
+ import re\r
+ import sys\r
+ import subprocess\r
++import xml.sax.saxutils\r
+ \r
+ \r
+ _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()\r
+@@ -229,11 +230,14 @@ class HtmlPage (Page):\r
+ if 'subject' in display_data and 'message-id' in display_data:\r
+ d = {\r
+ 'message-id': quote(display_data['message-id']),\r
+- 'subject': display_data['subject'],\r
++ 'subject': xml.sax.saxutils.escape(display_data['subject']),\r
+ }\r
+ display_data['subject'] = (\r
+ '<a href="http://mid.gmane.org/{message-id}">{subject}</a>'\r
+ ).format(**d)\r
++ for key in ['message-id', 'from']:\r
++ if key in display_data:\r
++ display_data[key] = xml.sax.saxutils.escape(display_data[key])\r
+ return (running_data, display_data)\r
+ \r
+ def _slug(self, string):\r
+-- \r
+1.8.5.2.8.g0f6c0d1\r
+\r
projects / notmuch-archives.git / commitdiff