Re: [PATCH] gitweb: Change to use explicitly function call cgi->escapHTML()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Junio C Hamano wrote:
> Jakub Narebski <jnareb@xxxxxxxxx> writes:
>> Junio C Hamano wrote:
>>
>>> Speaking of -title, I see "sub git_project_list_body" does this:
>>> 
>>>     $cgi->a({ ... -title => $pr->{'descr_long'}}, esc_html($pr->{'descr'}));
>>>         
>>> which seems inconsistent with the earlier quoted $fullname
>>> handling (unless $pr->{'descr_long'} is already quoted and $pr->{'descr'}
>>> is not, which I find highly unlikely).
>>
>> CGI::a() subroutine automatically quotes properly _attribute_ values,
>> but it does not (and it should not) quote _contents_ of a tag.
>>
>> So the above code is correct.
> 
> Sorry, you lost me...  I am wondering what you mean by
> "automatically".  Do you mean 'always'?

Yes, I mean that CGI::a() does quoting _of attributes_, always.
 
> And if that is the case, shouldn't we drop esc_html() around
> $fullname here?
> 
>     ...  For example, many places esc_html()
>     is used as the body of <a ...>$here</a> but some places it is
>     used as
> 
>         $cgi->a({ ... -title =>esc_html($fullname) }, esc_path($dir))
> 
> as we do not have it around $pr->{'descr_long'} in the above?

The above is wrong, thrice. First, it should be esc_path($fullname).
Second, rules for escaping attribute values are different from escaping
HTML. Third, CGI::a() does escaping of attribute values.

Explanation:

  $cgi->a({ ... -attribute => atribute_value }, tag_contents)

is translated to

  <a ... attribute="attribute_value">tag_contents</a>

The rules for escaping attribute values (which are string contents) are
different. For example you have to take care about escaping embedded '"'
and "'" characters; CGI::a() does that for us automatically.

CGI::a() cannot HTML escape tag contents automatically; we might want to
write

  <a href="URL">some <b>bold</b> text</a>

for example. Soe we have to esc_html (or esc_path) if needed.


In short: escape tag contents if needed, do not escape attrbure values.
-- 
Jakub Narebski
Poland
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]