Commit 850b90a5 authored by Jakub Narębski's avatar Jakub Narębski Committed by Junio C Hamano

gitweb: Fix displaying unchopped argument in chop_and_escape_str

Do not use esc_html to escape [title] _attribute_ of a HTML element,
and quote unprintable characters.  Replace unprintable characters by
'?' and use CGI method to generate HTML element and do the escaping.

This caused bug noticed by Martin Koegler,
  Message-ID: <[email protected]>
that for bad commit encoding in author name, the title attribute (here
to show full, not shortened name) had embedded HTML code in it, result
of quoting unprintable characters the gitweb/HTML way. This of course
broke the HTML, causing page being not displayed in XML validating web
Signed-off-by: Jakub Narębski's avatarJakub Narebski <[email protected]>
Signed-off-by: default avatarJunio C Hamano <[email protected]>
parent 508e84a7
......@@ -866,8 +866,8 @@ sub chop_and_escape_str {
if ($chopped eq $str) {
return esc_html($chopped);
} else {
return qq{<span title="} . esc_html($str) . qq{">} .
esc_html($chopped) . qq{</span>};
$str =~ s/([[:cntrl:]])/?/g;
return $cgi->span({-title=>$str}, esc_html($chopped));
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment