Fri Dec 30 21:08:43 UTC 2005  Alberto Bertogli <albertogli@telpin.com.ar>
  * Escape filenames, just in case.
  In the same spirit as the last patch, add escape() around prints of file
  names. It's highly improbable, but it could happen for weird cases and it
  seems worth the effort.
diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi
--- old-darcsweb/darcsweb.cgi	2016-02-16 15:26:06.000000000 +0000
+++ new-darcsweb/darcsweb.cgi	2016-02-16 15:26:06.000000000 +0000
@@ -735,7 +735,7 @@
 
 	if fname:
 		if fname[0] == '/': fname = fname[1:]
-		s = "-s " + fname
+		s = '-s "%s"' % fname
 	else:
 		s = "-s --last=%d" % toget
 
@@ -900,7 +900,7 @@
 	cmd = 'annotate --xml-output'
 	if hash:
 		cmd += ' --match="hash %s"' % hash
-	cmd += ' %s' % fname
+	cmd += ' "%s"' % fname
 	out = run_darcs(cmd)
 	return parse_annotate(out)
 
@@ -962,7 +962,7 @@
 	if fname:
 		title = '<a class="title" href="%s;a=filehistory;f=%s">' % \
 				(config.myreponame, fname)
-		title += 'History for path %s' % fname
+		title += 'History for path %s' % escape(fname)
 		title += '</a>'
 	else:
 		title = '<a class="title" href="%s;a=shortlog">shortlog</a>' \
@@ -1082,7 +1082,7 @@
 
 
 def print_blob(fname):
-	print '<div class="page_path"><b>%s</b></div>' % fname
+	print '<div class="page_path"><b>%s</b></div>' % escape(fname)
 	print '<div class="page_body">'
 	if isbinary(fname):
 		print """
@@ -1369,7 +1369,7 @@
 		'myreponame': config.myreponame,
 		'hash': p.hash,
 		'name': escape(p.name),
-		'fname': fname,
+		'fname': escape(fname),
 	}
 
 	print_diff(dsrc)
@@ -1394,7 +1394,7 @@
 		'myreponame': config.myreponame,
 		'hash': p.hash,
 		'name': escape(p.name),
-		'fname': fname,
+		'fname': escape(fname),
 	}
 
 	dsrc = get_darcs_diff(phash, fname)
@@ -1417,7 +1417,7 @@
 		'myreponame': config.myreponame,
 		'hash': p.hash,
 		'name': escape(p.name),
-		'fname': fname,
+		'fname': escape(fname),
 	}
 
 	print_diff(dsrc)
@@ -1443,7 +1443,7 @@
 		'myreponame': config.myreponame,
 		'hash': p.hash,
 		'name': escape(p.name),
-		'fname': fname,
+		'fname': escape(fname),
 	}
 
 	dsrc = get_darcs_headdiff(phash, fname)
@@ -1481,7 +1481,8 @@
 		'name': escape(p.name),
 	}
 	if p.comment:
-		c = p.comment.replace('\n', '<br/>\n')
+		comment = escape(p.comment)
+		c = comment.replace('\n', '<br/>\n')
 		print '<div class="page_body">'
 		print escape(p.name), '<br/><br/>'
 		print c
@@ -1594,7 +1595,7 @@
 		if not p: continue
 		sofar += '/' + p
 		print '<a href="%s;a=tree;f=%s">%s</a> /' % \
-				(config.myreponame, sofar, p)
+				(config.myreponame, escape(sofar), p)
 
 	print """
   </b></div>
@@ -1640,7 +1641,7 @@
   </td>
 			""" % {
 				'myrname': config.myreponame,
-				'f': f,
+				'f': escape(f),
 				'newf': filter_file(dname + '/' + f),
 			}
 		else:
@@ -1653,7 +1654,7 @@
   </td>
 			""" % {
 				'myrname': config.myreponame,
-				'f': f,
+				'f': escape(f),
 				'fullf': filter_file(dname + '/' + f),
 			}
 		print '</tr>'