]> Lady’s Gitweb - Gitweb/commitdiff
Lady’s Gitweb / Gitweb / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (from parent 1: 194aa3b)
gitweb: Don't escape attributes in CGI.pm HTML methods
authorJakub Narebski <redacted>
Wed, 7 Mar 2007 01:21:25 +0000 (02:21 +0100)
committerLady <redacted>
Mon, 6 Apr 2026 04:07:11 +0000 (00:07 -0400)
There is no need to escape HTML tag's attributes in CGI.pm
HTML methods (like CGI::a()), because CGI.pm does attribute
escaping automatically.

  $cgi->a({ ... -attribute => atribute_value }, tag_contents)

is translated to

  <a ... attribute="attribute_value">tag_contents</a>

The rules for escaping attribute values (which are string contents) are
different. For example you have to take care about escaping embedded '"'
and "'" characters; CGI::a() does that for us automatically.

CGI::a() does not HTML escape tag_contents; we would need to write

  <a href="URL">some <b>bold</b> text</a>

for example. So we use esc_html (or esc_path) to escape tag_contents
as needed.

Signed-off-by: Jakub Narebski <redacted>
Signed-off-by: Junio C Hamano <redacted>
gitweb.perl patch | blob | history

diff --git a/gitweb.perl b/gitweb.perl
index 1d1202fb8e4792d1612744ea5aa9f7746888b98d68085868d04af1f7d9291101..87a1378ea243d224c05feb4d98a7b54a27cd009865c3915a7da85de35144dc27 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -1975,17 +1975,17 @@ sub git_print_page_path {
                        $fullname .= ($fullname ? '/' : '') . $dir;
                        print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
                                                     hash_base=>$hb),
                        $fullname .= ($fullname ? '/' : '') . $dir;
                        print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
                                                     hash_base=>$hb),
-                                     -title => esc_html($fullname)}, esc_path($dir));
+                                     -title => $fullname}, esc_path($dir));
                        print " / ";
                }
                if (defined $type && $type eq 'blob') {
                        print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
                                                     hash_base=>$hb),
                        print " / ";
                }
                if (defined $type && $type eq 'blob') {
                        print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => esc_html($name)}, esc_path($basename));
+                                     -title => $name}, esc_path($basename));
                } elsif (defined $type && $type eq 'tree') {
                        print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
                                                     hash_base=>$hb),
                } elsif (defined $type && $type eq 'tree') {
                        print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => esc_html($name)}, esc_path($basename));
+                                     -title => $name}, esc_path($basename));
                        print " / ";
                } else {
                        print esc_path($basename);
                        print " / ";
                } else {
                        print esc_path($basename);
🐙🌐 Git·web: A C·G·I script for rendering Git repositories
This page took 0.231012 seconds and 4 git commands to generate.