On Sat, 14 Aug 2010, Ævar Arnfjörð Bjarmason wrote:
> 2010/8/14 Stephen Boyd <bebarino@xxxxxxxxx>:
>> On 08/03/2010 02:50 PM, Jakub Narebski wrote:
>>>
>>> +
>>> + my $title = to_utf8("Search for commits $performed by $author");
>>> + $title =~ s/[[:cntrl:]]/?/g;
>>> +
>>>
>>
>> Isn't it possible that other data coming from git could have escape
>> characters in them such as the commit subject line? In which case this same
>> bug would occur?
>>
>> Therefore isn't it better to strip out control characters (that's what this
>> patch is doing right?) in esc_html?
>
> I don't think stripping them out is the right thing either, hiding
> from you that something is Really Wrong (binary garbage in patches)
> isn't good.
>
> Something like this would be better:
>
> s/([[:cntrl:]])/sprintf("\\%03x", ord $1)/ge
Or
s|([[:cntrl:]])|quot_cec($1)|eg;
But is it worth it? This is about _title_ attribute, shown only on
mouseover (mouse hover).
But perhaps it would be worth it to add 'prep_attr' and 'esc_attr'
functions, though esc_html can be used in those places where esc_attr
would be needed...
--
Jakub Narebski
Poland
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html