path: root/gitweb/gitweb.perl
diff options
authorJakub Narebski <>2009-05-22 15:35:46 (GMT)
committerJunio C Hamano <>2009-05-22 16:26:54 (GMT)
commit14afe77486281e411bfadd131e5c8ffc44e22a26 (patch)
tree36855d5d80d43c4cd413507e4fa18d2df6f0e736 /gitweb/gitweb.perl
parenta80aad7b85fc560451e07792d64ab6cb15a39914 (diff)
gitweb: Sanitize title attribute in format_subject_html
Replace control characters with question mark '?' (like in chop_and_esc_str). A little background: some web browsers turn on strict (and unforgiving) XML validating mode for XHTML documents served using application/xhtml+xml content type. This means among others that control characters are forbidden to appear in gitweb output. does by default slight escaping (using simple_escape subroutine from CGI::Util) of all _attribute_ values (depending on the value of autoEscape, by default on). This escaping, at least in version 3.10 (most current version at CPAN is 3.43), is minimal: only '"', '&', '<' and '>' are escaped using named HTML entity references (&quot;, &amp;, &lt; and &gt; respectively). But simple_escape does not do escaping of control characters such as ^X which are invalid in XHTML (in strict mode). If by some accident commit message do contain some control character in first 50 characters (more or less) of first line of commit message, and this line is longer than 50 characters (so gitweb shortens it for display), then gitweb would put this control character in title attribute (and would not remove them). The tag _contents_ is safe because it is escaped using esc_html() explicitly, and it replaces control characters by their printable representation. While at it: chop_and_escape_str doesn't need capturing group. Noticed-by: Paul Gortmaker <> Signed-off-by: Jakub Narebski <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'gitweb/gitweb.perl')
1 files changed, 2 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 06e9160..d143829 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1235,7 +1235,7 @@ sub chop_and_escape_str {
if ($chopped eq $str) {
return esc_html($chopped);
} else {
- $str =~ s/([[:cntrl:]])/?/g;
+ $str =~ s/[[:cntrl:]]/?/g;
return $cgi->span({-title=>$str}, esc_html($chopped));
@@ -1458,6 +1458,7 @@ sub format_subject_html {
$extra = '' unless defined($extra);
if (length($short) < length($long)) {
+ $long =~ s/[[:cntrl:]]/?/g;
return $cgi->a({-href => $href, -class => "list subject",
-title => to_utf8($long)},
esc_html($short) . $extra);