git-commit-vandalism/gitweb
Andreas Brauchli 77947bbe24 gitweb: escape link body in format_ref_marker
Fix a case where an html link can be generated from unescaped input
resulting in invalid strict xhtml or potentially injected code.

An overview of a repo with a tag "1.0.0&0.0.1" would previously result
in an unescaped ampersand in the link body.

Signed-off-by: Andreas Brauchli <a.brauchli@elementarea.net>
Acked-by: Jakub Narębski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-01 12:55:40 -07:00
..
static
gitweb.perl gitweb: escape link body in format_ref_marker 2016-08-01 12:55:40 -07:00
INSTALL
Makefile
README

GIT web Interface
=================

From the git version 1.4.0 gitweb is bundled with git.


Build time gitweb configuration
-------------------------------
There are many configuration variables which affect building gitweb (among
others creating gitweb.cgi out of gitweb.perl by replacing placeholders such
as `++GIT_BINDIR++` by their build-time values).

Building and installing gitweb is described in gitweb's INSTALL file
(in 'gitweb/INSTALL').


Runtime gitweb configuration
----------------------------
Gitweb obtains configuration data from the following sources in the
following order:

1. built-in values (some set during build stage),
2. common system-wide configuration file (`GITWEB_CONFIG_COMMON`,
   defaults to '/etc/gitweb-common.conf'),
3. either per-instance configuration file (`GITWEB_CONFIG`, defaults to
   'gitweb_config.perl' in the same directory as the installed gitweb),
   or if it does not exists then system-wide configuration file
   (`GITWEB_CONFIG_SYSTEM`, defaults to '/etc/gitweb.conf').

Values obtained in later configuration files override values obtained earlier
in above sequence.

You can read defaults in system-wide GITWEB_CONFIG_SYSTEM from GITWEB_CONFIG
by adding

  read_config_file($GITWEB_CONFIG_SYSTEM);

at very beginning of per-instance GITWEB_CONFIG file.  In this case
settings in said per-instance file will override settings from
system-wide configuration file.  Note that read_config_file checks
itself that the $GITWEB_CONFIG_SYSTEM file exists.

The most notable thing that is not configurable at compile time are the
optional features, stored in the '%features' variable.

Ultimate description on how to reconfigure the default features setting
in your `GITWEB_CONFIG` or per-project in `project.git/config` can be found
as comments inside 'gitweb.cgi'.

See also gitweb.conf(5) manpage.


Web server configuration
------------------------
Gitweb can be run as CGI script, as legacy mod_perl application (using
ModPerl::Registry), and as FastCGI script.  You can find some simple examples
in "Example web server configuration" section in INSTALL file for gitweb (in
gitweb/INSTALL).

See "Webserver configuration" and "Advanced web server setup" sections in
gitweb(1) manpage.


AUTHORS
-------
Originally written by:
  Kay Sievers <kay.sievers@vrfy.org>

Any comment/question/concern to:
  Git mailing list <git@vger.kernel.org>