]> Lady’s Gitweb - Gitweb/blobdiff - gitweb.perl
Lady’s Gitweb / Gitweb / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
gitweb: Strip non-printable characters from syntax highlighter output
[Gitweb] / gitweb.perl
diff --git a/gitweb.perl b/gitweb.perl
index 349c969376cc92d92f0a57edda32e7357a25c51ee5868c03fb3fec12af90bfe2..3a8a2f0285bc72971d6f45521883981042f487adbb223b9ac816faf237dec3b1 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -1518,6 +1518,17 @@ sub esc_path {
        return $str;
 }
 
+# Sanitize for use in XHTML + application/xml+xhtm (valid XML 1.0)
+sub sanitize {
+       my $str = shift;
+
+       return undef unless defined $str;
+
+       $str = to_utf8($str);
+       $str =~ s|([[:cntrl:]])|($1 =~ /[\t\n\r]/ ? $1 : quot_cec($1))|eg;
+       return $str;
+}
+
 # Make control characters "printable", using character escape codes (CEC)
 sub quot_cec {
        my $cntrl = shift;
@@ -6485,7 +6496,8 @@ sub git_blob {
                        $nr++;
                        $line = untabify($line);
                        printf qq!<div class="pre"><a id="l%i" href="%s#l%i" class="linenr">%4i</a> %s</div>\n!,
-                              $nr, href(-replay => 1), $nr, $nr, $syntax ? $line : esc_html($line, -nbsp=>1);
+                              $nr, esc_attr(href(-replay => 1)), $nr, $nr,
+                              $syntax ? sanitize($line) : esc_html($line, -nbsp=>1);
                }
        }
        close $fd
🐙🌐 Git·web: A C·G·I script for rendering Git repositories
This page took 0.280344 seconds and 4 git commands to generate.