We already escape the user-provided Message-IDs (so there's no security problem AFAIK), but the URL templates which exist in our source code were not escaped properly.
This quiets down tidy(1). --- lib/PublicInbox/ExtMsg.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/PublicInbox/ExtMsg.pm b/lib/PublicInbox/ExtMsg.pm index 14d49cc..d07d5a7 100644 --- a/lib/PublicInbox/ExtMsg.pm +++ b/lib/PublicInbox/ExtMsg.pm @@ -8,13 +8,13 @@ package PublicInbox::ExtMsg; use strict; use warnings; -use PublicInbox::Hval; +use PublicInbox::Hval qw/ascii_html/; use PublicInbox::MID qw/mid2path/; use PublicInbox::WwwStream; our $MIN_PARTIAL_LEN = 16; # TODO: user-configurable -our @EXT_URL = ( +our @EXT_URL = map { ascii_html($_) } ( # leading "//" denotes protocol-relative (http:// or https://) '//marc.info/?i=%s', '//www.mail-archive.com/search?l=mid&q=%s', -- EW -- unsubscribe: meta+unsubscr...@public-inbox.org archive: https://public-inbox.org/meta/