mirror of
https://github.com/git/git.git
synced 2024-11-19 07:34:11 +01:00
gitweb: Don't escape attributes in CGI.pm HTML methods
There is no need to escape HTML tag's attributes in CGI.pm HTML methods (like CGI::a()), because CGI.pm does attribute escaping automatically. $cgi->a({ ... -attribute => atribute_value }, tag_contents) is translated to <a ... attribute="attribute_value">tag_contents</a> The rules for escaping attribute values (which are string contents) are different. For example you have to take care about escaping embedded '"' and "'" characters; CGI::a() does that for us automatically. CGI::a() does not HTML escape tag_contents; we would need to write <a href="URL">some <b>bold</b> text</a> for example. So we use esc_html (or esc_path) to escape tag_contents as needed. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
parent
290b1467a3
commit
346d5e1835
@ -1974,17 +1974,17 @@ sub git_print_page_path {
|
||||
$fullname .= ($fullname ? '/' : '') . $dir;
|
||||
print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
|
||||
hash_base=>$hb),
|
||||
-title => esc_html($fullname)}, esc_path($dir));
|
||||
-title => $fullname}, esc_path($dir));
|
||||
print " / ";
|
||||
}
|
||||
if (defined $type && $type eq 'blob') {
|
||||
print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
|
||||
hash_base=>$hb),
|
||||
-title => esc_html($name)}, esc_path($basename));
|
||||
-title => $name}, esc_path($basename));
|
||||
} elsif (defined $type && $type eq 'tree') {
|
||||
print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
|
||||
hash_base=>$hb),
|
||||
-title => esc_html($name)}, esc_path($basename));
|
||||
-title => $name}, esc_path($basename));
|
||||
print " / ";
|
||||
} else {
|
||||
print esc_path($basename);
|
||||
|
Loading…
Reference in New Issue
Block a user