diff options
| author | Junio C Hamano <junkio@cox.net> | 2006-11-08 15:11:10 -0800 |
|---|---|---|
| committer | Junio C Hamano <junkio@cox.net> | 2006-11-09 00:13:50 -0800 |
| commit | 25ffbb27a20278e9884e8f036b39806bb11ec1a8 (patch) | |
| tree | 98d66966984c6598a4e5748ebcd8b0f164f27210 | |
| parent | acca687fa9db8eaa380b65d63c3f0d4364892acf (diff) | |
| download | git-25ffbb27a20278e9884e8f036b39806bb11ec1a8.tar.gz git-25ffbb27a20278e9884e8f036b39806bb11ec1a8.tar.xz | |
gitweb: protect blob and diff output lines from controls.
This revealed that the output from blame and tag was not chomped
properly and was relying on HTML output not noticing that extra
whitespace that resulted from the newline, which was also fixed.
Signed-off-by: Junio C Hamano <junkio@cox.net>
| -rwxr-xr-x | gitweb/gitweb.perl | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 634975b3c..f4d1ef007 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -576,11 +576,10 @@ sub esc_html ($;%) { $str = to_utf8($str); $str = escapeHTML($str); - $str =~ s/\014/^L/g; # escape FORM FEED (FF) character (e.g. in COPYING file) - $str =~ s/\033/^[/g; # "escape" ESCAPE (\e) character (e.g. commit 20a3847d8a5032ce41f90dcc68abfb36e6fee9b1) if ($opts{'-nbsp'}) { $str =~ s/ / /g; } + $str =~ s|([[:cntrl:]])|(($1 ne "\t") ? quot_cec($1) : $1)|eg; return $str; } @@ -1879,17 +1878,17 @@ sub git_print_page_path { $fullname .= ($fullname ? '/' : '') . $dir; print $cgi->a({-href => href(action=>"tree", file_name=>$fullname, hash_base=>$hb), - -title => $fullname}, esc_path($dir)); + -title => esc_html($fullname)}, esc_path($dir)); print " / "; } if (defined $type && $type eq 'blob') { print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name, hash_base=>$hb), - -title => $name}, esc_path($basename)); + -title => esc_html($name)}, esc_path($basename)); } elsif (defined $type && $type eq 'tree') { print $cgi->a({-href => href(action=>"tree", file_name=>$file_name, hash_base=>$hb), - -title => $name}, esc_path($basename)); + -title => esc_html($name)}, esc_path($basename)); print " / "; } else { print esc_path($basename); @@ -2851,6 +2850,7 @@ sub git_tag { print "<div class=\"page_body\">"; my $comment = $tag{'comment'}; foreach my $line (@$comment) { + chomp($line); print esc_html($line) . "<br/>\n"; } print "</div>\n"; @@ -2920,6 +2920,7 @@ HTML } } my $data = $_; + chomp($data); my $rev = substr($full_rev, 0, 8); my $author = $meta->{'author'}; my %date = parse_date($meta->{'author-time'}, |