From: Jakub Narebski <jnareb@gmail.com>
To: Stephen Boyd <bebarino@gmail.com>
Cc: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>,
git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH] gitweb: fix esc_param
Date: Wed, 14 Oct 2009 11:03:18 +0200 [thread overview]
Message-ID: <200910141103.19295.jnareb@gmail.com> (raw)
In-Reply-To: <4AD56FD9.70602@gmail.com>
On Wed, 14 Oct 2009, Stephen Boyd wrote:
> Giuseppe Bilotta wrote:
>> On Wed, Oct 14, 2009 at 3:13 AM, Stephen Boyd <bebarino@gmail.com> wrote:
>>
>>> This works great for my purposes. Thanks.
>>>
>> Can you also check if this fixes the branch name issue you mentioned
>> in the other branch? (And/or do you have a repository exposing the
>> problem if not?)
>
> (We're jumping back and forth between threads haha)
>
> Sorry, it doesn't. But this diff fixes the first part of the problem.
> There are still problems with the RSS/Atom feed names being mangled. The
> branch name I'm using is gitwéb, but I imagine any utf8 character will fail.
That it is (probably) not because of lack of esc_html, but because
of lack of to_utf8. Grrr... we really should convert to utf8 (usually
just mark as utf8) on reading input, to avoid such kind of errors.
>
> I see the title and the actual text being mangled without this patch.
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 4b21ad2..910c370 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -1500,9 +1500,10 @@ sub format_ref_marker {
> -href => href(
> action=>$dest_action,
> hash=>$dest
> - )}, $name);
> + )}, esc_html($name));
Hmmm... to_utf8 would be enough here, but for the fact that
git-check-ref-format doesn't prohibit '<', '>' in ref names,
so it is possible that somebody somewhere is using such strange
ref names (e.g. branch named '<b>' is valid branch name).
>
> - $markers .= " <span class=\"$class\" title=\"$ref\">" .
> + my $title_ref = esc_html($ref);
> + $markers .= " <span class=\"$class\" title=\"$title_ref\">" .
Here it would be really useful to have esc_attr (which would do to_utf8
plus escaping of '"' and '%', quote and escape characters), although
I guess that full HTML escaping done with esc_html wouldn't do anything
bad.
> $link . "</span>";
> }
> }
--
Jakub Narebski
Poland
next prev parent reply other threads:[~2009-10-14 9:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-13 19:51 [PATCH] gitweb: fix esc_param Giuseppe Bilotta
2009-10-14 1:13 ` Stephen Boyd
2009-10-14 6:19 ` Giuseppe Bilotta
2009-10-14 6:29 ` Stephen Boyd
2009-10-14 9:03 ` Jakub Narebski [this message]
2009-10-14 8:23 ` Jakub Narebski
2009-10-14 9:13 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200910141103.19295.jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=bebarino@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=giuseppe.bilotta@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.