bin/gen_release_notes.py: html escape all external data

All of these (bug titles, patch titles, features, and people's names)
can contain characters that are not valid html. Just escape everything
for safety.

Fixes: 86079447da1e00d49db0cbff9a102eb4e71e8702
       ("scripts: Add a gen_release_notes.py script")
Reviewed-by: Eric Engestrom <eric@engestrom.ch>
Reviewed-by: Juan A. Suarez <jasuarez@igalia.com>

diff --git a/bin/gen_release_notes.py b/bin/gen_release_notes.py
index 4ef4facf8731bed1153f50f4505d2863320196fb..57f73ee1bd540833f434341df54e94c250a31934 100755 (executable)
--- a/bin/gen_release_notes.py
+++ b/bin/gen_release_notes.py
@@ -38,6 +38,9 @@ CURRENT_GL_VERSION = '4.6'
 CURRENT_VK_VERSION = '1.1'
 
 TEMPLATE = Template(textwrap.dedent("""\
+    <%!
+        import html
+    %>
     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
     <html lang="en">
     <head>
@@ -89,7 +92,7 @@ TEMPLATE = Template(textwrap.dedent("""\
 
     <ul>
     %for f in features:
-        <li>${f}</li>
+        <li>${html.escape(f)}</li>
     %endfor
     </ul>
 
@@ -97,7 +100,7 @@ TEMPLATE = Template(textwrap.dedent("""\
 
     <ul>
     %for b in bugs:
-        <li>${b}</li>
+        <li>${html.escape(b)}</li>
     %endfor
     </ul>
 
@@ -106,9 +109,9 @@ TEMPLATE = Template(textwrap.dedent("""\
     <ul>
     %for c, author in changes:
       %if author:
-        <p>${c}</p>
+        <p>${html.escape(c)}</p>
       %else:
-        <li>${c}</li>
+        <li>${html.escape(c)}</li>
       %endif
     %endfor
     </ul>