Re: nmweb HTML injection

Subject: Re: nmweb HTML injection

Date: Mon, 22 Aug 2022 10:35:39 +0200

Am Mo., 22. Aug. 2022 um 09:22 Uhr schrieb Jakub Wilk <jwilk@jwilk.net>:
>
> See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate
>
> <code> and <p> from the mail subject was dumped without escaping into HTML.
>

Interesting :)

The body is htmlescape()ed, but the subject header is used as is. I
should be escaped too.

Michael
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): Re: [PATCH] nmweb: escape subject in search view

Thread:

Jakub Wilk—nmweb HTML injection [inbox, notmuch::bug, notmuch::fixed, unread]
- Michael J Gruber—Re: nmweb HTML injection [inbox, unread]
- David Bremner—[PATCH] nmweb: escape subject in search view [inbox, notmuch::needs-review, notmuch::patch, notmuch::pushed, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]
  - David Bremner—Re: [PATCH] nmweb: escape subject in search view [inbox, unread]