gitweb: escape html in rss title

The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it.  Besides showing the wrong output, this
is a vector for XSS attacks.

Signed-off-by: Jeff King <redacted>

diff --git a/gitweb.perl b/gitweb.perl
index b9ceaf90f6124187f868062e37e521ae85bf5206bc7000b7ca2d2a17823163ba..8d9e568de66c7c5b7cf1a6bfc007940fb00e286514eafef756d383cd9cb803c3 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -8055,6 +8055,7 @@ sub git_feed {
                $feed_type = 'history';
        }
        $title .= " $feed_type";
                $feed_type = 'history';
        }
        $title .= " $feed_type";

+       $title = esc_html($title);

        my $descr = git_get_project_description($project);
        if (defined $descr) {
                $descr = esc_html($descr);
        my $descr = git_get_project_description($project);
        if (defined $descr) {
                $descr = esc_html($descr);