[PATCH] gitweb: Don't escape attributes in CGI.pm HTML methods

Jakub Narebski <jnareb@xxxxxxxxx> · Wed, 7 Mar 2007 02:21:25 +0100

There is no need to escape HTML tag's attributes in CGI.pm
HTML methods (like CGI::a()), because CGI.pm does attribute
escaping automatically.

Explanation:
  $cgi->a({ ... -attribute => atribute_value }, tag_contents)
is translated to
  <a ... attribute="attribute_value">tag_contents</a>
The rules for escaping attribute values (which are string contents) are
different. For example you have to take care about escaping embedded '"'
and "'" characters; CGI::a() does that for us automatically.

CGI::a() cannot HTML escape tag contents automatically; we might want to
write
  <a href="URL">some <b>bold</b> text</a>
for example. So we have to esc_html (or esc_path) if needed.

Signed-off-by: Jakub Narebski <jnareb@xxxxxxxxx>
---
Junio C Hamano wrote:
> Jakub Narebski <jnareb@xxxxxxxxx> writes:
> 
>> In short: escape tag contents if needed, do not escape attrbure values.
> 
> I trust a patch from you will follow shortly?

Here it is. I hope I found everything.

Commit message is bit long, so you can cut it to first sentence only
(or even only to title/subject).


 gitweb/gitweb.perl |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 653ca3c..ea58946 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1974,17 +1974,17 @@ sub git_print_page_path {
 			$fullname .= ($fullname ? '/' : '') . $dir;
 			print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
 			                             hash_base=>$hb),
-			              -title => esc_html($fullname)}, esc_path($dir));
+			              -title => $fullname}, esc_path($dir));
 			print " / ";
 		}
 		if (defined $type && $type eq 'blob') {
 			print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
 			                             hash_base=>$hb),
-			              -title => esc_html($name)}, esc_path($basename));
+			              -title => $name}, esc_path($basename));
 		} elsif (defined $type && $type eq 'tree') {
 			print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
 			                             hash_base=>$hb),
-			              -title => esc_html($name)}, esc_path($basename));
+			              -title => $name}, esc_path($basename));
 			print " / ";
 		} else {
 			print esc_path($basename);
-- 
1.5.0.2
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




