Skip to content

Commit 8990c8a

Browse files
committed
fix: html injection in formatToHtml
Cherry-pick of still-standing PR mgeeky#28
1 parent 7a3b958 commit 8990c8a

1 file changed

Lines changed: 5 additions & 8 deletions

File tree

decode-spam-headers.py

100644100755
Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6648,14 +6648,11 @@ def formatToHtml(body, headers):
66486648
body = body.replace(testEnd, '</div>')
66496649

66506650
body = body.replace('\n', '<br/>\n').replace('\t', '\t' + '&nbsp;' * 4).replace(' ', '&nbsp;')
6651-
headers = headers.replace('\n', '<br/>\n').replace('\t', '\t' + '&nbsp;' * 4).replace(' ', '&nbsp;')
66526651
body2 = body
6653-
66546652
for m in re.finditer(r'(<[^>]+>)', body, re.I):
66556653
a = m.group(1)
66566654
b = a.replace('&nbsp;', ' ')
66576655
body2 = body2.replace(a, b)
6658-
66596656
body = body2
66606657

66616658
outputHtml = f'''
@@ -6781,7 +6778,7 @@ def formatToHtml(body, headers):
67816778
font-style: normal;
67826779
font-variant: normal;
67836780
font-weight: 400;
6784-
line-height: 18.5714px;
6781+
line-height: 18.5714px;
67856782
}}
67866783
67876784
a {{
@@ -6804,9 +6801,9 @@ def formatToHtml(body, headers):
68046801
<details>
68056802
<summary>Original SMTP Headers</summary>
68066803
<blockquote>
6807-
<code>
6808-
{headers}
6809-
</code>
6804+
<code><pre>
6805+
{escape(headers)}
6806+
</pre></code>
68106807
</blockquote>
68116808
</details>
68126809
</article>
@@ -6815,7 +6812,7 @@ def formatToHtml(body, headers):
68156812
{body}
68166813
</body>
68176814
</html>
6818-
'''
6815+
'''
68196816
return outputHtml
68206817

68216818
def colorizeOutput(out, headers):

0 commit comments

Comments
 (0)