git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jakub Narebski <jnareb@gmail.com>
To: Junio C Hamano <junkio@cox.net>
Cc: "Li Yang-r58472" <LeoLi@freescale.com>,
	"Jeff King" <peff@peff.net>,
	git@vger.kernel.org
Subject: Re: [PATCH] gitweb: Change to use explicitly function call cgi->escapHTML()
Date: Wed, 7 Mar 2007 01:37:06 +0100	[thread overview]
Message-ID: <200703070137.07477.jnareb@gmail.com> (raw)
In-Reply-To: <7vzm6qm07l.fsf@assigned-by-dhcp.cox.net>

Junio C Hamano wrote:
> Jakub Narebski <jnareb@gmail.com> writes:
>> Junio C Hamano wrote:
>>
>>> Speaking of -title, I see "sub git_project_list_body" does this:
>>> 
>>>     $cgi->a({ ... -title => $pr->{'descr_long'}}, esc_html($pr->{'descr'}));
>>>         
>>> which seems inconsistent with the earlier quoted $fullname
>>> handling (unless $pr->{'descr_long'} is already quoted and $pr->{'descr'}
>>> is not, which I find highly unlikely).
>>
>> CGI::a() subroutine automatically quotes properly _attribute_ values,
>> but it does not (and it should not) quote _contents_ of a tag.
>>
>> So the above code is correct.
> 
> Sorry, you lost me...  I am wondering what you mean by
> "automatically".  Do you mean 'always'?

Yes, I mean that CGI::a() does quoting _of attributes_, always.
 
> And if that is the case, shouldn't we drop esc_html() around
> $fullname here?
> 
>     ...  For example, many places esc_html()
>     is used as the body of <a ...>$here</a> but some places it is
>     used as
> 
>         $cgi->a({ ... -title =>esc_html($fullname) }, esc_path($dir))
> 
> as we do not have it around $pr->{'descr_long'} in the above?

The above is wrong, thrice. First, it should be esc_path($fullname).
Second, rules for escaping attribute values are different from escaping
HTML. Third, CGI::a() does escaping of attribute values.

Explanation:

  $cgi->a({ ... -attribute => atribute_value }, tag_contents)

is translated to

  <a ... attribute="attribute_value">tag_contents</a>

The rules for escaping attribute values (which are string contents) are
different. For example you have to take care about escaping embedded '"'
and "'" characters; CGI::a() does that for us automatically.

CGI::a() cannot HTML escape tag contents automatically; we might want to
write

  <a href="URL">some <b>bold</b> text</a>

for example. Soe we have to esc_html (or esc_path) if needed.


In short: escape tag contents if needed, do not escape attrbure values.
-- 
Jakub Narebski
Poland

  reply	other threads:[~2007-03-07  0:35 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-06  3:58 [PATCH] gitweb: Change to use explicitly function call cgi->escapHTML() Li Yang
2007-03-06  6:55 ` Junio C Hamano
2007-03-06  9:34   ` Jakub Narebski
2007-03-06  9:39     ` Jeff King
2007-03-06  9:46       ` Junio C Hamano
2007-03-06 10:31       ` Li Yang-r58472
2007-03-06 10:41         ` Jeff King
2007-03-06 10:53           ` Junio C Hamano
2007-03-06 10:56             ` Jeff King
2007-03-06 10:58               ` Junio C Hamano
2007-03-06 11:01                 ` Jeff King
2007-03-06 11:05                   ` Junio C Hamano
2007-03-06 11:07                     ` Jeff King
2007-03-06 11:07                   ` Li Yang-r58472
2007-03-06 10:45         ` Junio C Hamano
2007-03-06 13:23           ` Jakub Narebski
2007-03-06 23:17             ` Junio C Hamano
2007-03-07  0:37               ` Jakub Narebski [this message]
2007-03-07  0:49                 ` Junio C Hamano
2007-03-07  1:21                   ` [PATCH] gitweb: Don't escape attributes in CGI.pm HTML methods Jakub Narebski
2007-03-07  1:40                     ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200703070137.07477.jnareb@gmail.com \
    --to=jnareb@gmail.com \
    --cc=LeoLi@freescale.com \
    --cc=git@vger.kernel.org \
    --cc=junkio@cox.net \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).