Skip to content

Commit

Permalink
gitweb: Fix displaying unchopped argument in chop_and_escape_str
Browse files Browse the repository at this point in the history 
Do not use esc_html to escape [title] _attribute_ of a HTML element,
and quote unprintable characters.  Replace unprintable characters by
'?' and use CGI method to generate HTML element and do the escaping.

This caused bug noticed by Martin Koegler,
  Message-ID: <20080216130037.GA14571@auto.tuwien.ac.at>
that for bad commit encoding in author name, the title attribute (here
to show full, not shortened name) had embedded HTML code in it, result
of quoting unprintable characters the gitweb/HTML way. This of course
broke the HTML, causing page being not displayed in XML validating web
browsers.

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
Jakub Narebski authored and Junio C Hamano committed Feb 18, 2008
1 parent 508e84a commit 850b90a
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions gitweb/gitweb.perl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -866,8 +866,8 @@ sub chop_and_escape_str {
if ($chopped eq $str) {
return esc_html($chopped);
} else {
return qq{<span title="} . esc_html($str) . qq{">} .
esc_html($chopped) . qq{</span>};
$str =~ s/([[:cntrl:]])/?/g;
return $cgi->span({-title=>$str}, esc_html($chopped));
}
}

Expand Down

0 comments on commit 850b90a

Please sign in to comment.