On Sat, 14 Aug 2010, Stephen Boyd wrote:
> On 08/03/2010 02:50 PM, Jakub Narebski wrote:
> > +
> > + my $title = to_utf8("Search for commits $performed by $author");
> > + $title =~ s/[[:cntrl:]]/?/g;
> > +
> >
>
> Isn't it possible that other data coming from git could have escape
> characters in them such as the commit subject line? In which case this
> same bug would occur?
>
> Therefore isn't it better to strip out control characters (that's what
> this patch is doing right?) in esc_html?
First, esc_html and esc_path *do* escape control characters using
either control escape characters (e.g. "\n" for LF), or escaped octal
representation (e.g. "\001").
Second, it does not help with contents of *attributes* of HTML tag
elements (like e.g. 'title' attribute) when those elements are
generated using CGI (e.g. $cgi->a({..., -title => ...},esc_html(...))).
Unfortunately (older?) CGI.pm does not escape control characters, and
we cannot do escape ourselves because it would lead to double escaping.
The problem with Firefox is that in strict XHTML conformance model
(XHTML DTD and application/xhtml+xml mimetype) it *enforces* that XML
is well formed, which includes lack of control characters, instead of
silently allowing it like in more loose HTML mode.
--
Jakub Narebski
Poland
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html