diff options
| author | Dylan Baker <[email protected]> | 2019-10-23 08:50:40 -0700 |
|---|---|---|
| committer | Dylan Baker <[email protected]> | 2019-10-28 08:31:58 -0700 |
| commit | 1d86a897337cea084ed1396b308a9387419faf41 (patch) | |
| tree | c30f97634b7ff7e815a448ff6e7ae1f9d6896d4c /bin | |
| parent | 05605ad1965d99c0e9e0d108d07d653f8b7f6dd1 (diff) | |
bin/gen_release_notes.py: html escape all external data
All of these (bug titles, patch titles, features, and people's names)
can contain characters that are not valid html. Just escape everything
for safety.
Fixes: 86079447da1e00d49db0cbff9a102eb4e71e8702
("scripts: Add a gen_release_notes.py script")
Reviewed-by: Eric Engestrom <[email protected]>
Reviewed-by: Juan A. Suarez <[email protected]>
(cherry picked from commit b153785370c7fa47961a69404448c05f7e3c166c)
Diffstat (limited to 'bin')
| -rwxr-xr-x | bin/gen_release_notes.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/bin/gen_release_notes.py b/bin/gen_release_notes.py index 26b81eb37bb..bb45d6335e0 100755 --- a/bin/gen_release_notes.py +++ b/bin/gen_release_notes.py @@ -38,6 +38,9 @@ CURRENT_GL_VERSION = '4.5' CURRENT_VK_VERSION = '1.1' TEMPLATE = Template(textwrap.dedent("""\ + <%! + import html + %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> @@ -89,7 +92,7 @@ TEMPLATE = Template(textwrap.dedent("""\ <ul> %for f in features: - <li>${f}</li> + <li>${html.escape(f)}</li> %endfor </ul> @@ -97,7 +100,7 @@ TEMPLATE = Template(textwrap.dedent("""\ <ul> %for b in bugs: - <li>${b}</li> + <li>${html.escape(b)}</li> %endfor </ul> @@ -106,9 +109,9 @@ TEMPLATE = Template(textwrap.dedent("""\ <ul> %for c, author in changes: %if author: - <p>${c}</p> + <p>${html.escape(c)}</p> %else: - <li>${c}</li> + <li>${html.escape(c)}</li> %endif %endfor </ul> |