Bug#872646: qa.debian.org: [debcheck] Escape some HTML before outputting
- To: gregor herrmann <gregoa@debian.org>, 872646@bugs.debian.org
- Cc: Mattia Rizzolo <mattia@debian.org>, Chris Lamb <lamby@debian.org>
- Subject: Bug#872646: qa.debian.org: [debcheck] Escape some HTML before outputting
- From: Colin Watson <cjwatson@debian.org>
- Date: Sun, 15 Dec 2019 22:10:45 +0000
- Message-id: <[🔎] 20191215221045.GA22326@riva.ucam.org>
- Reply-to: Colin Watson <cjwatson@debian.org>, 872646@bugs.debian.org
- In-reply-to: <20170820125309.elpf5cvkqeou5wn6@jadzia.comodo.priv.at>
- References: <1503165789.1623854.1078612088.18A44D2F@webmail.messagingengine.com> <1503166850.1626196.1078620760.16A085ED@webmail.messagingengine.com> <1503165789.1623854.1078612088.18A44D2F@webmail.messagingengine.com> <20170820081345.ga2lbv3sui3bfth5@mapreri.org> <1503165789.1623854.1078612088.18A44D2F@webmail.messagingengine.com> <20170820125309.elpf5cvkqeou5wn6@jadzia.comodo.priv.at> <1503165789.1623854.1078612088.18A44D2F@webmail.messagingengine.com>
On Sun, Aug 20, 2017 at 02:53:09PM +0200, gregor herrmann wrote:
> On Sun, 20 Aug 2017 10:13:47 +0200, Mattia Rizzolo wrote:
> > On Sat, Aug 19, 2017 at 11:20:50AM -0700, Chris Lamb wrote:
> > > Updated patch attached, although the last hunk is probably unnecessary
> > > anyway.
> >
> > Although, I'm not a perl guy so I must ask before applying:
> > * shouldn't that function be `escape_html()` instead of `html_escape()` ?
> > (i.e., what is cited in the `use`)
> > * does that thing requires a new dependency? The closer thing I could
> > find on the net is
> > http://search.cpan.org/dist/HTML-Escape/lib/HTML/Escape.pm which
> > doesn't seem like something that is in the standard lib…
> > * in the last chunk you escaped the first $me but not the latter in the
> > line below, probably best to at least be consistent?
>
> AFAICS HTML::Escape is not packaged for Debian.
> (Ack on the other points).
>
> HTML::Entities might be an option:
>
> https://metacpan.org/pod/HTML::Entities
>
> Included in the libhtml-parser-perl package.
Yes, I think that's probably the right [1] answer. quantz already has
libhtml-parser-perl installed too.
I've tidied this up along those lines and made a merge request:
https://salsa.debian.org/qa/qa/merge_requests/27
Note that I didn't bother to escape things that have already been
checked as conforming to a syntax that doesn't require HTML-escaping,
e.g. priority names, just because it was getting unwieldy. Ordinarily
I'd make sure to put all substitutions through an escaping mechanism
just to guard against future mistakes, but well, see [1].
[1] I might have written it this way myself when I first started writing
Perl in 1999 or so, so no criticism of the original author intended,
but I've very distinctly gone off the idea of assembling HTML out of
lots of little string fragments in the intervening two decades.
These days I'd use a templating system (e.g. Perl's Template Toolkit
looks reasonable enough) as a bare minimum. But right now I really
don't feel like rewriting almost all of debcheck to achieve that ...
--
Colin Watson [cjwatson@debian.org]
Reply to: