gitweb: protect blob and diff output lines from controls.

This revealed that the output from blame and tag was not chomped
properly and was relying on HTML output not noticing that extra
whitespace that resulted from the newline, which was also fixed.

Signed-off-by: Junio C Hamano <redacted>

diff --git a/gitweb.perl b/gitweb.perl
index 4a8bea05535303f7e1673a0bf33dfb9188fb2993add3c6e75aa9e77e621c1800..ab5fefa2008ba407f729e08b9bfde1da38d8c37bfb8a47b7e18cab21d538ef52 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -577,11 +577,10 @@ sub esc_html ($;%) {
 
        $str = to_utf8($str);
        $str = escapeHTML($str);
-       $str =~ s/\014/^L/g; # escape FORM FEED (FF) character (e.g. in COPYING file)
-       $str =~ s/\033/^[/g; # "escape" ESCAPE (\e) character (e.g. commit 20a3847d8a5032ce41f90dcc68abfb36e6fee9b1)
        if ($opts{'-nbsp'}) {
                $str =~ s/ / /g;
        }
+       $str =~ s|([[:cntrl:]])|(($1 ne "\t") ? quot_cec($1) : $1)|eg;
        return $str;
 }
 
@@ -1880,17 +1879,17 @@ sub git_print_page_path {
                        $fullname .= ($fullname ? '/' : '') . $dir;
                        print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
                                                     hash_base=>$hb),
-                                     -title => $fullname}, esc_path($dir));
+                                     -title => esc_html($fullname)}, esc_path($dir));
                        print " / ";
                }
                if (defined $type && $type eq 'blob') {
                        print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_path($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                } elsif (defined $type && $type eq 'tree') {
                        print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_path($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                        print " / ";
                } else {
                        print esc_path($basename);
@@ -2852,6 +2851,7 @@ sub git_tag {
        print "<div class=\"page_body\">";
        my $comment = $tag{'comment'};
        foreach my $line (@$comment) {
+               chomp($line);
                print esc_html($line) . "<br/>\n";
        }
        print "</div>\n";
@@ -2921,6 +2921,7 @@ HTML
                        }
                }
                my $data = $_;
+               chomp($data);
                my $rev = substr($full_rev, 0, 8);
                my $author = $meta->{'author'};
                my %date = parse_date($meta->{'author-time'},