[PATCH] nmweb: escape subject in search view

Subject: [PATCH] nmweb: escape subject in search view

Date: Mon, 5 Sep 2022 08:07:21 -0300

To: Jakub Wilk, notmuch@notmuchmail.org

Cc:

Fix a bug reported by Jakub Wilk [1].

[1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
---
 devel/notmuch-web/nmweb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
index 928e4863..7b555c62 100755
--- a/devel/notmuch-web/nmweb.py
+++ b/devel/notmuch-web/nmweb.py
@@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
 def link_msg(msg):
   lnk = quote_plus(msg.messageid.encode('utf8'))
   try:
-    subj = msg.header('Subject')
+    subj = html.escape(msg.header('Subject'))
   except LookupError:
     subj = ""
   out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
-- 
2.35.2

_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): Re: [PATCH] nmweb: escape subject in search view

Thread:

Jakub Wilk—nmweb HTML injection [inbox, notmuch::bug, notmuch::fixed, unread]
- Michael J Gruber—Re: nmweb HTML injection [inbox, unread]
- David Bremner—[PATCH] nmweb: escape subject in search view [inbox, notmuch::needs-review, notmuch::patch, notmuch::pushed, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]