Mesa (staging/19.2): bin/gen_release_notes.py: html escape all external data
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Mon Oct 28 15:33:57 UTC 2019
Module: Mesa
Branch: staging/19.2
Commit: 1d86a897337cea084ed1396b308a9387419faf41
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=1d86a897337cea084ed1396b308a9387419faf41
Author: Dylan Baker <dylan at pnwbakers.com>
Date: Wed Oct 23 08:50:40 2019 -0700
bin/gen_release_notes.py: html escape all external data
All of these (bug titles, patch titles, features, and people's names)
can contain characters that are not valid html. Just escape everything
for safety.
Fixes: 86079447da1e00d49db0cbff9a102eb4e71e8702
("scripts: Add a gen_release_notes.py script")
Reviewed-by: Eric Engestrom <eric at engestrom.ch>
Reviewed-by: Juan A. Suarez <jasuarez at igalia.com>
(cherry picked from commit b153785370c7fa47961a69404448c05f7e3c166c)
---
bin/gen_release_notes.py | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/bin/gen_release_notes.py b/bin/gen_release_notes.py
index 26b81eb37bb..bb45d6335e0 100755
--- a/bin/gen_release_notes.py
+++ b/bin/gen_release_notes.py
@@ -38,6 +38,9 @@ CURRENT_GL_VERSION = '4.5'
CURRENT_VK_VERSION = '1.1'
TEMPLATE = Template(textwrap.dedent("""\
+ <%!
+ import html
+ %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
@@ -89,7 +92,7 @@ TEMPLATE = Template(textwrap.dedent("""\
<ul>
%for f in features:
- <li>${f}</li>
+ <li>${html.escape(f)}</li>
%endfor
</ul>
@@ -97,7 +100,7 @@ TEMPLATE = Template(textwrap.dedent("""\
<ul>
%for b in bugs:
- <li>${b}</li>
+ <li>${html.escape(b)}</li>
%endfor
</ul>
@@ -106,9 +109,9 @@ TEMPLATE = Template(textwrap.dedent("""\
<ul>
%for c, author in changes:
%if author:
- <p>${c}</p>
+ <p>${html.escape(c)}</p>
%else:
- <li>${c}</li>
+ <li>${html.escape(c)}</li>
%endif
%endfor
</ul>
More information about the mesa-commit
mailing list