From e1555594fb6091ea9bb05340c7e8576e930bb3c7 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 6 Dec 2010 20:31:12 +0100
Subject: [PATCH] browser: quote html entities

Title and description contain special characters literally.
Other fields are usually to be inserted as HTML, but are not always valid
(stand-alone chars, invisible linebreaks) so apply some smart escaping.
---
 browser.plp | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/browser.plp b/browser.plp
index 741868b..c2a5d25 100644
--- a/browser.plp
+++ b/browser.plp
@@ -181,15 +181,15 @@ sub saytitlecol {
 			sprintf("try { %s; return false } catch(err) { return true }",
 				"document.getElementById('$id').classList.toggle('target')",
 			),
-			$_,
+			Entity($_),
 		);
 	} $row->{title};
 	print '<div class=aside>';
 	s/\.?$/./, print "<p>$_</p>" for map { ref $_ ? @$_ : $_ || () }
-		$row->{description}, $row->{notes};
-	printf 'Resources: %s.', join(', ',
-		map { qq(<a href="$_->{url}">$_->{title}</a>) } @$_
-	) for grep { @$_ } $row->{links} // ();
+		Entity($row->{description}), formathtml($row->{notes});  # sic
+	printf 'Resources: %s.', join(', ', map {
+		sprintf '<a href="%s">%s</a>', EscapeHTML($_->{url}), $_->{title}
+	} @$_) for grep { @$_ } $row->{links} // ();
 	print '</div>';
 }
 
@@ -257,6 +257,16 @@ for my $id (sort {
 print '<tfoot>', $header;
 print '</table>';
 
+sub formathtml {
+	my $ref = defined wantarray ? [@_] : \@_;
+	for (@$ref) {
+		s/& (?!\w)/&amp;/gx;
+		s/< \s/&lt;/gx;
+		s/\n\K\n/<br>/g;
+	}
+	return @$ref;
+}
+
 sub paddedver {
 	# normalised version number comparable as string (cmp)
 	shift =~ /^(\d*)(.*)/;
-- 
2.30.0