Escape from and subject

2020-04-15 21:39:56 +02:00 · 2020-04-15 21:39:56 +02:00 · 10ce9fad8b
parent 6fa5f0ab2e
commit 10ce9fad8b
1 changed files with 6 additions and 6 deletions
--- a/12
+++ b/12
@ -927,8 +927,8 @@ class Message:
            in_reply_to_msgid = [references_msgids[-1]]
        self.in_reply_to = in_reply_to_msgids
        self.references = references_msgids
-        self.mfrom = msg["From"]
-        self.subject = msg["Subject"]
+        self.mfrom = decode_rfc2047(msg["From"])
+        self.subject = decode_rfc2047(msg["Subject"])
        self.msg = msg
        self.kids = False
        if self.date.tzinfo is None:
@ -1125,15 +1125,15 @@ class Thread:
        
        # XXX  - escape!
        s += f"<td class='date'><a href='/msg/{lines[0][3]}/'>{lines[0][0]}</a></td>"
-        s += f"<td class='from'>{lines[0][1]}</td>"
-        s += f"<td class='subject'>{lines[0][2]}</td>"
+        s += f"<td class='from'>{html.escape(lines[0][1])}</td>"
+        s += f"<td class='subject'>{html.escape(lines[0][2])}</td>"
        s += "</tr>"

        for ln in lines[1:]:
            s += "<tr>"
            s += f"<td class='date'><a href='/msg/{ln[3]}/'>{ln[0]}</a></td>"
-            s += f"<td class='from'>{ln[1]}</td>"
-            s += f"<td class='subject'>{ln[2]}</td>"
+            s += f"<td class='from'>{html.escape(ln[1])}</td>"
+            s += f"<td class='subject'>{html.escape(ln[2])}</td>"
            s += "</tr>"
        s += "</table>"
        self._as_html = s