From: Jakub Narebski <jnareb@gmail.com>
To: Stephen Boyd <bebarino@gmail.com>
Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
git@vger.kernel.org, kernel@pengutronix.de
Subject: Re: gitweb not friendly to firefox revived
Date: Sat, 14 Aug 2010 14:29:35 +0200 [thread overview]
Message-ID: <201008141429.36829.jnareb@gmail.com> (raw)
In-Reply-To: <4C6670EE.3060806@gmail.com>
On Sat, 14 Aug 2010, Stephen Boyd wrote:
> On 08/03/2010 02:50 PM, Jakub Narebski wrote:
> > +
> > + my $title = to_utf8("Search for commits $performed by $author");
> > + $title =~ s/[[:cntrl:]]/?/g;
> > +
> >
>
> Isn't it possible that other data coming from git could have escape
> characters in them such as the commit subject line? In which case this
> same bug would occur?
>
> Therefore isn't it better to strip out control characters (that's what
> this patch is doing right?) in esc_html?
First, esc_html and esc_path *do* escape control characters using
either control escape characters (e.g. "\n" for LF), or escaped octal
representation (e.g. "\001").
Second, it does not help with contents of *attributes* of HTML tag
elements (like e.g. 'title' attribute) when those elements are
generated using CGI (e.g. $cgi->a({..., -title => ...},esc_html(...))).
Unfortunately (older?) CGI.pm does not escape control characters, and
we cannot do escape ourselves because it would lead to double escaping.
The problem with Firefox is that in strict XHTML conformance model
(XHTML DTD and application/xhtml+xml mimetype) it *enforces* that XML
is well formed, which includes lack of control characters, instead of
silently allowing it like in more loose HTML mode.
--
Jakub Narebski
Poland
prev parent reply other threads:[~2010-08-14 12:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-01 19:51 gitweb not friendly to firefox revived Uwe Kleine-König
2010-08-01 20:15 ` Ævar Arnfjörð Bjarmason
2010-08-02 5:31 ` Uwe Kleine-König
2010-08-01 20:26 ` Jakub Narebski
2010-08-03 21:07 ` Uwe Kleine-König
2010-08-03 21:50 ` Jakub Narebski
2010-08-12 9:23 ` Uwe Kleine-König
2010-08-14 10:33 ` Stephen Boyd
2010-08-14 10:48 ` Ævar Arnfjörð Bjarmason
2010-08-14 12:33 ` Jakub Narebski
2010-09-07 8:22 ` Uwe Kleine-König
2010-08-14 12:29 ` Jakub Narebski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201008141429.36829.jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=bebarino@gmail.com \
--cc=git@vger.kernel.org \
--cc=kernel@pengutronix.de \
--cc=u.kleine-koenig@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).