gitweb: protect blob and diff output lines from controls.
This revealed that the output from blame and tag was not chomped properly and was relying on HTML output not noticing that extra whitespace that resulted from the newline, which was also fixed. Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
parent
acca687fa9
commit
25ffbb27a2
@ -576,11 +576,10 @@ sub esc_html ($;%) {
|
|||||||
|
|
||||||
$str = to_utf8($str);
|
$str = to_utf8($str);
|
||||||
$str = escapeHTML($str);
|
$str = escapeHTML($str);
|
||||||
$str =~ s/\014/^L/g; # escape FORM FEED (FF) character (e.g. in COPYING file)
|
|
||||||
$str =~ s/\033/^[/g; # "escape" ESCAPE (\e) character (e.g. commit 20a3847d8a5032ce41f90dcc68abfb36e6fee9b1)
|
|
||||||
if ($opts{'-nbsp'}) {
|
if ($opts{'-nbsp'}) {
|
||||||
$str =~ s/ / /g;
|
$str =~ s/ / /g;
|
||||||
}
|
}
|
||||||
|
$str =~ s|([[:cntrl:]])|(($1 ne "\t") ? quot_cec($1) : $1)|eg;
|
||||||
return $str;
|
return $str;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1879,17 +1878,17 @@ sub git_print_page_path {
|
|||||||
$fullname .= ($fullname ? '/' : '') . $dir;
|
$fullname .= ($fullname ? '/' : '') . $dir;
|
||||||
print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
|
print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
|
||||||
hash_base=>$hb),
|
hash_base=>$hb),
|
||||||
-title => $fullname}, esc_path($dir));
|
-title => esc_html($fullname)}, esc_path($dir));
|
||||||
print " / ";
|
print " / ";
|
||||||
}
|
}
|
||||||
if (defined $type && $type eq 'blob') {
|
if (defined $type && $type eq 'blob') {
|
||||||
print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
|
print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
|
||||||
hash_base=>$hb),
|
hash_base=>$hb),
|
||||||
-title => $name}, esc_path($basename));
|
-title => esc_html($name)}, esc_path($basename));
|
||||||
} elsif (defined $type && $type eq 'tree') {
|
} elsif (defined $type && $type eq 'tree') {
|
||||||
print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
|
print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
|
||||||
hash_base=>$hb),
|
hash_base=>$hb),
|
||||||
-title => $name}, esc_path($basename));
|
-title => esc_html($name)}, esc_path($basename));
|
||||||
print " / ";
|
print " / ";
|
||||||
} else {
|
} else {
|
||||||
print esc_path($basename);
|
print esc_path($basename);
|
||||||
@ -2851,6 +2850,7 @@ sub git_tag {
|
|||||||
print "<div class=\"page_body\">";
|
print "<div class=\"page_body\">";
|
||||||
my $comment = $tag{'comment'};
|
my $comment = $tag{'comment'};
|
||||||
foreach my $line (@$comment) {
|
foreach my $line (@$comment) {
|
||||||
|
chomp($line);
|
||||||
print esc_html($line) . "<br/>\n";
|
print esc_html($line) . "<br/>\n";
|
||||||
}
|
}
|
||||||
print "</div>\n";
|
print "</div>\n";
|
||||||
@ -2920,6 +2920,7 @@ HTML
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
my $data = $_;
|
my $data = $_;
|
||||||
|
chomp($data);
|
||||||
my $rev = substr($full_rev, 0, 8);
|
my $rev = substr($full_rev, 0, 8);
|
||||||
my $author = $meta->{'author'};
|
my $author = $meta->{'author'};
|
||||||
my %date = parse_date($meta->{'author-time'},
|
my %date = parse_date($meta->{'author-time'},
|
||||||
|
Loading…
Reference in New Issue
Block a user