Tue Dec 27 03:19:14 UTC 2005 Michael Allan <mike@zelea.com>
* Escape patch names.
When patch names used in HTML, escape characters like '<'.
diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi
--- old-darcsweb/darcsweb.cgi 2015-10-03 19:47:25.000000000 +0000
+++ new-darcsweb/darcsweb.cgi 2015-10-03 19:47:25.000000000 +0000
@@ -1012,7 +1012,7 @@
'author': shorten_str(p.shortauthor, 26),
'myrname': config.myreponame,
'hash': p.hash,
- 'name': shorten_str(p.name),
+ 'name': escape(shorten_str(p.name)),
'fullname': escape(p.name),
}
print "</tr>"
@@ -1263,7 +1263,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
}
dsrc = p.getdiff()
@@ -1287,7 +1287,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
}
dsrc = get_darcs_diff(phash)
@@ -1316,7 +1316,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
}
dsrc = get_patch_headdiff(phash)
@@ -1341,7 +1341,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
}
dsrc = get_darcs_headdiff(phash)
@@ -1368,7 +1368,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
'fname': fname,
}
@@ -1393,7 +1393,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
'fname': fname,
}
@@ -1416,7 +1416,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
'fname': fname,
}
@@ -1442,7 +1442,7 @@
""" % {
'myreponame': config.myreponame,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
'fname': fname,
}
@@ -1478,12 +1478,12 @@
'local_date': p.local_date_str,
'date': p.date_str,
'hash': p.hash,
- 'name': p.name,
+ 'name': escape(p.name),
}
if p.comment:
c = p.comment.replace('\n', '<br/>\n')
print '<div class="page_body">'
- print p.name, '<br/><br/>'
+ print escape(p.name), '<br/><br/>'
print c
print '</div>'