gitweb: Fix escaping HTML of project owner in 'projects_list' and

'summary' views

This for example allows to put email address in the project owner
field in the projects index file (when $projects_list points to
a file, and not to a directory), in the form of:

path/to/repo.git Random+J+Developer+<random@developer.example.org>

Noticed-by: Jon Smirl <jonsmirl@gmail.com>
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 18042843d..b2bae1b25 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -3419,7 +3419,7 @@ sub git_project_list_body {
 		      "<td>" . $cgi->a({-href => href(project=>$pr->{'path'}, action=>"summary"),
 		                        -class => "list", -title => $pr->{'descr_long'}},
 		                        esc_html($pr->{'descr'})) . "</td>\n" .
-		      "<td><i>" . chop_str($pr->{'owner'}, 15) . "</i></td>\n";
+		      "<td><i>" . esc_html(chop_str($pr->{'owner'}, 15)) . "</i></td>\n";
 		print "<td class=\"". age_class($pr->{'age'}) . "\">" .
 		      (defined $pr->{'age_string'} ? $pr->{'age_string'} : "No commits") . "</td>\n" .
 		      "<td class=\"link\">" .
@@ -3795,7 +3795,7 @@ sub git_summary {
 	print "<div class=\"title\">&nbsp;</div>\n";
 	print "<table cellspacing=\"0\">\n" .
 	      "<tr><td>description</td><td>" . esc_html($descr) . "</td></tr>\n" .
-	      "<tr><td>owner</td><td>$owner</td></tr>\n";
+	      "<tr><td>owner</td><td>" . esc_html($owner) . "</td></tr>\n";
 	if (defined $cd{'rfc2822'}) {
 		print "<tr><td>last change</td><td>$cd{'rfc2822'}</td></tr>\n";
 	}