Re: [PATCH] nmweb: escape subject in search view

Subject: Re: [PATCH] nmweb: escape subject in search view

Date: Fri, 16 Sep 2022 21:50:55 -0300

To: Jakub Wilk, notmuch@notmuchmail.org

Cc:

David Bremner <david@tethera.net> writes:

> Fix a bug reported by Jakub Wilk [1].
>
> [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
> ---
>  devel/notmuch-web/nmweb.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
> index 928e4863..7b555c62 100755
> --- a/devel/notmuch-web/nmweb.py
> +++ b/devel/notmuch-web/nmweb.py
> @@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
>  def link_msg(msg):
>    lnk = quote_plus(msg.messageid.encode('utf8'))
>    try:
> -    subj = msg.header('Subject')
> +    subj = html.escape(msg.header('Subject'))
>    except LookupError:
>      subj = ""
>    out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
> -- 
> 2.35.2

I've deployed this patch on nmbug.notmuchmail.org. It seems to do the
right thing, at least for Jakub's original reported message.

d
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): Re: [PATCH] nmweb: escape subject in search view

Thread:

Jakub Wilk—nmweb HTML injection [inbox, notmuch::bug, notmuch::fixed, unread]
- Michael J Gruber—Re: nmweb HTML injection [inbox, unread]
- David Bremner—[PATCH] nmweb: escape subject in search view [inbox, notmuch::needs-review, notmuch::patch, notmuch::pushed, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]