From: Jakub Narebski <jnareb@gmail.com>
To: "Jürgen Kreileder" <jk@blackdown.de>
Cc: git@vger.kernel.org, Jakub Narebski <jnareb@gmail.com>
Subject: Re: [PATCH] gitweb: Escape attribute in chop_and_escape_str()
Date: Tue, 29 Nov 2011 11:33:39 -0800 (PST) [thread overview]
Message-ID: <m3liqylo5u.fsf@localhost.localdomain> (raw)
In-Reply-To: <CAKD0UuyOMRFHE6DvuDj0ancfwFfg8ADKab6emv99+FN5RfZ=mQ@mail.gmail.com>
Jürgen Kreileder <jk@blackdown.de> writes:
> Fixes the title attribute in <span title="Jürgen Kreileder">Jürgen
> Kreileder</span> for example because to_utf8() is called implicitly now.
>
> (Not sure why the attribute is there at all in the example. From my
> point of view nothing got chopped.)
Hmmm... this should not happen because of
my $chopped = chop_str(@_);
if ($chopped eq $str) {
return esc_html($chopped);
} else
Perhaps it is a matter of doing to_utf8() on $str prior to comparison?
> Signed-off-by: Juergen Kreileder <jk@blackdown.de>
> ---
> gitweb/gitweb.perl | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 4f0c3bd..fd76407 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -1699,7 +1699,7 @@ sub chop_and_escape_str {
> return esc_html($chopped);
> } else {
> $str =~ s/[[:cntrl:]]/?/g;
> - return $cgi->span({-title=>$str}, esc_html($chopped));
> + return $cgi->span({-title => esc_attr($str)}, esc_html($chopped));
> }
> }
>
> --
esc_attr() is a wrong solution here, because $cgi->span(...) should
properly escape attributes. You should simply use to_utf8() or
sanitize().
Well, uless we simply do
$str = to_utf8($str);
earlier.
--
Jakub Narębski
prev parent reply other threads:[~2011-11-29 19:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-28 23:27 [PATCH] gitweb: Escape attribute in chop_and_escape_str() Jürgen Kreileder
2011-11-29 19:33 ` Jakub Narebski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3liqylo5u.fsf@localhost.localdomain \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=jk@blackdown.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.