From eec1d963a395754b695dc7fdcbe0e53861bea16e Mon Sep 17 00:00:00 2001
From: Nolan Prescott <mail@nprescott.com>
Date: Thu, 24 Dec 2020 15:12:06 -0500
Subject: [PATCH] Hash branch name in HTML attributes

As reported on sr.ht-discuss:
> The "Prepare a patchset" UI shows an empty list of commits on
> branches that include a slash inside the name

The branch name is used to define CSS selectors inside a style block
on the send-email template and branch names may contain invalid CSS
identifier values. Without escaping the browser does not render these
specific styles, leaving them in the state of `display:none` as
defined on `.event-list.commit-list`.
---
 gitsrht/blueprints/email.py       |  6 ++++++
 gitsrht/templates/send-email.html | 19 +++++++++++--------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/gitsrht/blueprints/email.py b/gitsrht/blueprints/email.py
index 7e80e54..89b4d1a 100644
--- a/gitsrht/blueprints/email.py
+++ b/gitsrht/blueprints/email.py
@@ -6,6 +6,7 @@ import re
 import smtplib
 import subprocess
 import sys
+import hashlib
 from email.utils import make_msgid, parseaddr
 from email.message import EmailMessage
 from flask import Blueprint, render_template, abort, request, url_for, session
@@ -347,3 +348,8 @@ def send_email_send(owner, repo):
         session["message"] = "Your patchset has been sent."
         return redirect(url_for('repo.summary',
             owner=repo.owner, repo=repo.name))
+
+@mail.app_template_filter('hash')
+def to_hash(value):
+    hashed_value = hashlib.sha256(value.encode())
+    return hashed_value.hexdigest()
diff --git a/gitsrht/templates/send-email.html b/gitsrht/templates/send-email.html
index b40ce86..035e089 100644
--- a/gitsrht/templates/send-email.html
+++ b/gitsrht/templates/send-email.html
@@ -37,14 +37,15 @@
   <legend>Select a branch</legend>
 
   {% for branch in branches[:2] %}
+  {%- set branch_hash = branch[0] | hash -%}
   <input
     type="radio"
     name="branch"
     value="{{branch[0]}}"
-    id="branch-{{branch[0]}}"
+    id="branch-{{branch_hash}}"
     {% if loop.first %}checked{% endif %}
     />
-  <label for="branch-{{branch[0]}}">
+  <label for="branch-{{branch_hash}}">
     {{branch[0]}}
     <span class="text-muted">
       (active {{ commit_time(branch[2]) | date }})
@@ -76,7 +77,8 @@
     You'll be able to trim commits off the top in the next step.
   </small>
   {% for branch in branches[:2] %}
-  <div class="event-list commit-list reverse commits-{{branch[0]}}">
+  {%- set branch_hash = branch[0] | hash -%}
+  <div class="event-list commit-list reverse commits-{{branch_hash}}">
     {% if commits[branch[0]][-1].parents %}
     {% set show_commits = commits[branch[0]][:-1] %}
     {% else %}
@@ -86,15 +88,15 @@
     <input
       type="radio"
       name="commit-{{branch[0]}}"
-      id="commit-{{branch[0]}}-{{c.id.hex}}"
+      id="commit-{{branch_hash}}-{{c.id.hex}}"
       value="{{c.id.hex}}"
       {% if loop.last %}checked{% endif %} />
-    <label class="event" for="commit-{{branch[0]}}-{{c.id.hex}}">
+    <label class="event" for="commit-{{branch_hash}}-{{c.id.hex}}">
       {{ utils.commit_event(repo, c, False, target_blank=True) }}
     </label>
     {% endfor %}
   </div>
-  <div class="pull-right form-controls form-controls-{{branch[0]}}">
+  <div class="pull-right form-controls form-controls-{{branch_hash}}">
     {% if commits[branch[0]][-1].parents and (len(commits[branch[0]])-1) < 32 %}
     {# TODO: suggest request-pull for >32 commits (or less, tbh) #}
     <a
@@ -122,11 +124,12 @@
   }
 
   {% for branch in branches[:2] %}
-  #branch-{{branch[0]}}:checked ~ .commits-{{branch[0]}} {
+  {%- set branch_hash = branch[0] | hash -%}
+  #branch-{{branch_hash}}:checked ~ .commits-{{branch_hash}} {
     display: flex;
   }
 
-  #branch-{{branch[0]}}:checked ~ .form-controls-{{branch[0]}} {
+  #branch-{{branch_hash}}:checked ~ .form-controls-{{branch_hash}} {
     display: block;
   }
   {% endfor %}
-- 
2.38.4