From 035b9b6da2538d4bf3cbdc4944124f24cb195e4c Mon Sep 17 00:00:00 2001
From: Petr Baudis <pasky@suse.cz>
Date: Tue, 3 Nov 2009 00:45:26 +0100
Subject: [PATCH] gitweb: slight e-mail address obfuscation

This patch introduces new email_obfuscate() function to pass e-mail
addresses through. It HTML-escapes them and rewrites the @ as an
HTML/XML entity. If the HTML::Email::Obfuscate module is installed,
it makes use of its lite version.

The patch is loosely based on a patch by Stefan de Konink
<skinkie@xs4all.nl> he submitted for repo.or.cz long ago.

Signed-off-by: Petr Baudis <pasky@suse.cz>
---
 gitweb/gitweb.perl | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 7a5b23acf2..f43f8deb19 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -568,6 +568,12 @@ our %feature = (
 		'default' => []},
 );
 
+# email obfuscation
+our $email;
+if (eval { require HTML::Email::Obfuscate; 1 }) {
+	$email = HTML::Email::Obfuscate->new(lite => 1);
+}
+
 sub gitweb_get_feature {
 	my ($name) = @_;
 	return unless exists $feature{$name};
@@ -1785,6 +1791,22 @@ sub chop_str {
 	}
 }
 
+# pass-through email filter, obfuscating it when possible
+sub email_obfuscate {
+	my ($str) = @_;
+	if ($email) {
+		$str = $email->escape_html($str);
+		# Stock HTML::Email::Obfuscate version likes to produce
+		# invalid XHTML...
+		$str =~ s#<(/?)B>#<$1b>#g;
+		return $str;
+	} else {
+		$str = esc_html($str);
+		$str =~ s/@/&#x40;/;
+		return $str;
+	}
+}
+
 # takes the same arguments as chop_str, but also wraps a <span> around the
 # result with a title attribute if it does get chopped. Additionally, the
 # string is HTML-escaped.
@@ -1794,10 +1816,10 @@ sub chop_and_escape_str {
 	my $chopped = chop_str(@_);
 	$str = to_utf8($str);
 	if ($chopped eq $str) {
-		return esc_html($chopped);
+		return email_obfuscate($chopped);
 	} else {
 		$str =~ s/[[:cntrl:]]/?/g;
-		return $cgi->span({-title=>$str}, esc_html($chopped));
+		return $cgi->span({-title=>$str}, email_obfuscate($chopped));
 	}
 }
 
@@ -6546,7 +6568,7 @@ sub git_summary {
 	print "<table class=\"projects_list\">\n" .
 	      "<tr id=\"metadata_desc\"><td>description</td><td>" . esc_html($descr) . "</td></tr>\n";
         if ($owner and not $omit_owner) {
-	        print  "<tr id=\"metadata_owner\"><td>owner</td><td>" . esc_html($owner) . "</td></tr>\n";
+	        print  "<tr id=\"metadata_owner\"><td>owner</td><td>" . email_obfuscate($owner) . "</td></tr>\n";
         }
 	if (defined $cd{'rfc2822'}) {
 		print "<tr id=\"metadata_lchange\"><td>last change</td>" .
@@ -8226,7 +8248,7 @@ XML
 		      $cgi->self_url() . '" />' . "\n" .
 		      "<id>" . href(-full=>1) . "</id>\n" .
 		      # use project owner for feed author
-		      "<author><name>$owner</name></author>\n";
+		      '<author><name>'. email_obfuscate($owner) . '</name></author>\n';
 		if (defined $favicon) {
 			print "<icon>" . esc_url($favicon) . "</icon>\n";
 		}
-- 
2.11.4.GIT


description	" . esc_html($descr) . "
owner	" . esc_html($owner) . "
owner	" . email_obfuscate($owner) . "
last change