'message-id' and 'from' now have sensitive characters escaped using
xml.sax.saxutils.escape [1]. The 'subject' data was already being
converted to a link into Gmane; I've escape()d that too, so it doesn't
need to be handled ain the same block as 'message-id' and 'from'.
This prevents broken HTML by if subjects etc. contain characters that
would otherwise be interpreted as HTML markup.
[1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
import re
import sys
import subprocess
import re
import sys
import subprocess
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
_ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding()
if 'subject' in display_data and 'message-id' in display_data:
d = {
'message-id': quote(display_data['message-id']),
if 'subject' in display_data and 'message-id' in display_data:
d = {
'message-id': quote(display_data['message-id']),
- 'subject': display_data['subject'],
+ 'subject': xml.sax.saxutils.escape(display_data['subject']),
}
display_data['subject'] = (
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
).format(**d)
}
display_data['subject'] = (
'<a href="http://mid.gmane.org/{message-id}">{subject}</a>'
).format(**d)
+ for key in ['message-id', 'from']:
+ if key in display_data:
+ display_data[key] = xml.sax.saxutils.escape(display_data[key])
return (running_data, display_data)
def _slug(self, string):
return (running_data, display_data)
def _slug(self, string):