Hello,
just to stop this topic dying ...
On Sat, Aug 14, 2010 at 02:33:33PM +0200, Jakub Narebski wrote:
> On Sat, 14 Aug 2010, Ævar Arnfjörð Bjarmason wrote:
> > 2010/8/14 Stephen Boyd <bebarino@xxxxxxxxx>:
> >> On 08/03/2010 02:50 PM, Jakub Narebski wrote:
> >>>
> >>> +
> >>> + my $title = to_utf8("Search for commits $performed by $author");
> >>> + $title =~ s/[[:cntrl:]]/?/g;
> >>> +
> >>>
> >>
> >> Isn't it possible that other data coming from git could have escape
> >> characters in them such as the commit subject line? In which case this same
> >> bug would occur?
> >>
> >> Therefore isn't it better to strip out control characters (that's what this
> >> patch is doing right?) in esc_html?
> >
> > I don't think stripping them out is the right thing either, hiding
> > from you that something is Really Wrong (binary garbage in patches)
> > isn't good.
> >
> > Something like this would be better:
> >
> > s/([[:cntrl:]])/sprintf("\\%03x", ord $1)/ge
>
> Or
> s|([[:cntrl:]])|quot_cec($1)|eg;
>
> But is it worth it? This is about _title_ attribute, shown only on
> mouseover (mouse hover).
>
>
> But perhaps it would be worth it to add 'prep_attr' and 'esc_attr'
> functions, though esc_html can be used in those places where esc_attr
> would be needed...
Is there something I can do to bring this forward? (I assume this isn't
fixed yet, at least it isn't in Debian's 1.7.2.3 package.)
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html