From dad4f0cd038cd684fe76ed276376fb8a0e32ae47 Mon Sep 17 00:00:00 2001 From: John Ralls Date: Sat, 25 Jul 2020 14:23:54 -0700 Subject: [PATCH] [git-release-notes.pl] html-escape strings in the html output. --- util/git-release-notes.pl | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/util/git-release-notes.pl b/util/git-release-notes.pl index 3acdfeb032..013e9511af 100755 --- a/util/git-release-notes.pl +++ b/util/git-release-notes.pl @@ -26,6 +26,18 @@ sub text_format { print_notes($notes) if ($notes); } +# escape_html lifted from https://metacpan.org/source/TOKUHIROM/HTML-Escape-1.10/lib/HTML/Escape/PurePerl.pm. +our %_escape_table = ( '&' => '&', '>' => '>', '<' => '<', + q{"} => '"', q{'} => ''', q{`} => '`', + '{' => '{', '}' => '}' ); +sub escape_html { + my $str = shift; + return '' + unless defined $str; + $str =~ s/([&><"'`{}])/$_escape_table{$1}/ge; #' for poor editors + return $str; +} + sub html_format_bug { my $string = shift; my $href='"https://bugs.gnucash.org/show_bug.cgi?id=XXXXXX"'; @@ -34,6 +46,9 @@ sub html_format_bug { my $num = $1; die "No bug number in $sum" if ! $num; $href =~ s/XXXXXX/$num/; + $sum = escape_html($sum); + $desc = escape_html($desc); + $notes = escape_html($notes); print "
  • $sum"; print "

    $desc

    " if ($desc); print_notes($notes) if ($notes); @@ -44,6 +59,9 @@ sub html_format_other { my $string = shift; my ($sum, $desc, $notes) = split('\<\|\>', $string); die "No summary in $string" if not $sum; + $sum = escape_html($sum); + $desc = escape_html($desc); + $notes = escape_html($notes); print "
  • $sum"; print "

    $desc

    " if ($desc); print_notes($notes) if ($notes);