]> Lady’s Gitweb - Gitweb/commitdiff
Lady’s Gitweb / Gitweb / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (from parent 1: 1ae1a4c)
gitweb: escape html in rss title
authorJeff King <redacted>
Mon, 12 Nov 2012 21:34:28 +0000 (16:34 -0500)
committerLady <redacted>
Mon, 6 Apr 2026 04:51:32 +0000 (00:51 -0400)
The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it.  Besides showing the wrong output, this
is a vector for XSS attacks.

Signed-off-by: Jeff King <redacted>
gitweb.perl patch | blob | history

diff --git a/gitweb.perl b/gitweb.perl
index b9ceaf90f6124187f868062e37e521ae85bf5206bc7000b7ca2d2a17823163ba..8d9e568de66c7c5b7cf1a6bfc007940fb00e286514eafef756d383cd9cb803c3 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -8055,6 +8055,7 @@ sub git_feed {
                $feed_type = 'history';
        }
        $title .= " $feed_type";
+       $title = esc_html($title);
        my $descr = git_get_project_description($project);
        if (defined $descr) {
                $descr = esc_html($descr);
🐙🌐 Git·web: A C·G·I script for rendering Git repositories
This page took 0.17546 seconds and 4 git commands to generate.