subject:"\[PATCH 1\/3\] ui\-refs\: escape HTML chars in author and tagger names"

[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names

2014-01-12 Thread John Keeping

Everywhere else we use html_txt to escape any special characters in
these variables.  Do so here as well.

Signed-off-by: John Keeping j...@keeping.me.uk
---
I spotted this while looking at Jason's jd/gravatar series.  The
following two patches cover other similar issues I spotted while
auditing all uses of html().  I think everything else is OK.

 ui-refs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ui-refs.c b/ui-refs.c
index 20c91e3..c97b0c6 100644
--- a/ui-refs.c
+++ b/ui-refs.c
@@ -155,9 +155,9 @@ static int print_tag(struct refinfo *ref)
html(/tdtd);
if (info) {
if (info-tagger)
-   html(info-tagger);
+   html_txt(info-tagger);
} else if (ref-object-type == OBJ_COMMIT) {
-   html(ref-commit-author);
+   html_txt(ref-commit-author);
}
html(/tdtd colspan='2');
if (info) {
-- 
1.8.5.226.g0d60d77

___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit

Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names

2014-01-12 Thread Jason A. Donenfeld

Same question here -- XSS potential?
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit

[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names

Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names

2 matches

Site Navigation

Mail list logo

Footer information