Today I added a
`commit-filter=/usr/lib64/cgit/filters/html-converters/md2html` line
to my `/etc/cgitrc`, and was a bit surprised when I saw `<` and
`>` in the web ui (example:
https://www.thenautilus.net/cgit/media-control/commit/?id=6fda0abed78af7be43ca554c07244bce0f0115a7
)
The cgitrc manpage says of `commit-filter`:
> the STDOUT from the command will be included verbatim as the commit
> message
but `md2html` prints `<` and `>`, not `&lt;` and `&gt;`
Then I looked through the cgit source, and I saw that different places
handle the output of filters differently:
* the output of `source_filter` is always printed via `html_raw`
* `about_filter` via `html_include` (which calls `html_raw`) or
`cgit_print_file`
* `email_filter`, `owner_filter`, and `commit_filter`, via `html_txt`
So the output of `email_filter`, `owner_filter`, and `commit_filter`
is *not* "included verbatim", it undergoes HTML escaping.
I think this difference should be documented, or maybe the output of
all filters should really be included verbatim (while still using
`html_txt` when there's no filter involved, to prevent injection from
untrusted input)
Opinions?
--
Dakkar - <Mobilis in mobile>
GPG public key fingerprint = A071 E618 DD2C 5901 9574
6FE2 40EA 9883 7519 3F88
key id = 0x75193F88
