From: Eric Wong <e@80x24.org>
Date: Fri, 13 Sep 2024 22:07:24 +0000 (+0000)
Subject: view: disable address URL-fication of possible HTML escapes
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d1ea09128ef9f61943d66ac5df968fde3e73036;p=thirdparty%2Fpublic-inbox.git

view: disable address URL-fication of possible HTML escapes

In case somebody uses local email address of `lt' or `gt' (with
no domain component, or something matching /#\d+/a), disable
URL-fication of such addresses to prevent breaking HTML output.

Somebody with better Perl regexp knowledge than I can attempt to
write a regexp which functions like \b but avoids matching `&'
to allow such local email addresses.  But I suspect the use of
local-only email addresses to be limited and this isn't a real
problem in practice.
---

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 75387dce1..5d4742925 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -72,6 +72,9 @@ sub addr2urlmap ($) {
 		my $by_addr = $ctx->{www}->{pi_cfg}->{-by_addr};
 		my (%addr2url, $url);
 		while (my ($addr, $ibx) = each %$by_addr) {
+			# FIXME: use negative look(behind|ahead) in s// for
+			# `&' and `;' to make them not match \b
+			next if $addr =~ /\A(?:gt|lt|#[0-9]+)\z/;
 			$url = $ibx->base_url // $ibx->base_url($ctx->{env});
 			$addr2url{ascii_html($addr)} = ascii_html($url) if
 				defined $url
@@ -83,6 +86,8 @@ sub addr2urlmap ($) {
 		delete @$tmp{@k[0..3]} if scalar(@k) > 7;
 		if (scalar keys %addr2url) {
 			my $re = join('|', map { quotemeta } keys %addr2url);
+			# FIXME: fix this regexp to allow `lt' and `gt' as
+			# local email addresses:
 			$tmp->{$key} = [ qr/\b($re)\b/i, \%addr2url ];
 		} else { # nothing? NUL should never match:
 			[ qr/(\0)/, { "\0" => './' } ];