From b153785370c7fa47961a69404448c05f7e3c166c Mon Sep 17 00:00:00 2001 From: Dylan Baker Date: Wed, 23 Oct 2019 08:50:40 -0700 Subject: [PATCH] bin/gen_release_notes.py: html escape all external data All of these (bug titles, patch titles, features, and people's names) can contain characters that are not valid html. Just escape everything for safety. Fixes: 86079447da1e00d49db0cbff9a102eb4e71e8702 ("scripts: Add a gen_release_notes.py script") Reviewed-by: Eric Engestrom Reviewed-by: Juan A. Suarez --- bin/gen_release_notes.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/gen_release_notes.py b/bin/gen_release_notes.py index 4ef4facf873..57f73ee1bd5 100755 --- a/bin/gen_release_notes.py +++ b/bin/gen_release_notes.py @@ -38,6 +38,9 @@ CURRENT_GL_VERSION = '4.6' CURRENT_VK_VERSION = '1.1' TEMPLATE = Template(textwrap.dedent("""\ + <%! + import html + %> @@ -89,7 +92,7 @@ TEMPLATE = Template(textwrap.dedent("""\
    %for f in features: -
  • ${f}
  • +
  • ${html.escape(f)}
  • %endfor
@@ -97,7 +100,7 @@ TEMPLATE = Template(textwrap.dedent("""\
    %for b in bugs: -
  • ${b}
  • +
  • ${html.escape(b)}
  • %endfor
@@ -106,9 +109,9 @@ TEMPLATE = Template(textwrap.dedent("""\
    %for c, author in changes: %if author: -

    ${c}

    +

    ${html.escape(c)}

    %else: -
  • ${c}
  • +
  • ${html.escape(c)}
  • %endif %endfor
-- 2.30.2