mirror of
https://git.zx2c4.com/cgit
synced 2024-11-22 16:38:42 +00:00
ui-diff.c: avoid html injection
When path-filtering was used in commit-view, the path filter was included without proper html escaping. This patch closes the hole. Signed-off-by: Lukasz Janyst <ljanyst@cern.ch> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
This commit is contained in:
parent
1b09cbd303
commit
7f3c6e0ce9
@ -172,8 +172,11 @@ void cgit_print_diffstat(const unsigned char *old_sha1,
|
|||||||
html("<div class='diffstat-header'>");
|
html("<div class='diffstat-header'>");
|
||||||
cgit_diff_link("Diffstat", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
|
cgit_diff_link("Diffstat", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
|
||||||
ctx.qry.sha2, NULL, 0);
|
ctx.qry.sha2, NULL, 0);
|
||||||
if (prefix)
|
if (prefix) {
|
||||||
htmlf(" (limited to '%s')", prefix);
|
html(" (limited to '");
|
||||||
|
html_txt(prefix);
|
||||||
|
html("')");
|
||||||
|
}
|
||||||
html(" (");
|
html(" (");
|
||||||
ctx.qry.context = (save_context > 0 ? save_context : 3) << 1;
|
ctx.qry.context = (save_context > 0 ? save_context : 3) << 1;
|
||||||
cgit_self_link("more", NULL, NULL, &ctx);
|
cgit_self_link("more", NULL, NULL, &ctx);
|
||||||
|
Loading…
Reference in New Issue
Block a user