From: Jakub Narebski Date: Wed, 7 Mar 2007 01:21:25 +0000 (+0100) Subject: gitweb: Don't escape attributes in CGI.pm HTML methods X-Git-Url: https://git.ladys.computer/Gitweb/commitdiff_plain/b23b11f32b799fb22b914f2f7c426ee6eaa5b2fa97b5c7848e1720f85476482c?hp=194aa3b3b9ae6310ab1917888de2f085f12e79c263ae581c95b40843f5314d45 gitweb: Don't escape attributes in CGI.pm HTML methods There is no need to escape HTML tag's attributes in CGI.pm HTML methods (like CGI::a()), because CGI.pm does attribute escaping automatically. $cgi->a({ ... -attribute => atribute_value }, tag_contents) is translated to tag_contents The rules for escaping attribute values (which are string contents) are different. For example you have to take care about escaping embedded '"' and "'" characters; CGI::a() does that for us automatically. CGI::a() does not HTML escape tag_contents; we would need to write some bold text for example. So we use esc_html (or esc_path) to escape tag_contents as needed. Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano --- diff --git a/gitweb.perl b/gitweb.perl index 1d1202f..87a1378 100755 --- a/gitweb.perl +++ b/gitweb.perl @@ -1975,17 +1975,17 @@ sub git_print_page_path { $fullname .= ($fullname ? '/' : '') . $dir; print $cgi->a({-href => href(action=>"tree", file_name=>$fullname, hash_base=>$hb), - -title => esc_html($fullname)}, esc_path($dir)); + -title => $fullname}, esc_path($dir)); print " / "; } if (defined $type && $type eq 'blob') { print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name, hash_base=>$hb), - -title => esc_html($name)}, esc_path($basename)); + -title => $name}, esc_path($basename)); } elsif (defined $type && $type eq 'tree') { print $cgi->a({-href => href(action=>"tree", file_name=>$file_name, hash_base=>$hb), - -title => esc_html($name)}, esc_path($basename)); + -title => $name}, esc_path($basename)); print " / "; } else { print esc_path($basename);