This series fixes an XSS issue reported to the git-security list where gitweb doesn't always quote its base url, meaning a specially-crafted URL can inject HTML into the finished page. Given the relatively low severity of the problem and my lack of familiarity with gitweb, it makes sense to me to just discuss this one in the open. Credit for the finding the problem (and some patient explanations) goes to NAKAYAMA DAISUKE <nakyamad@xxxxxxxxxx>. [1/4]: t9502: pass along all arguments in xss helper [2/4]: t/gitweb-lib.sh: drop confusing quotes [3/4]: t/gitweb-lib.sh: set $REQUEST_URI [4/4]: gitweb: escape URLs generated by href() gitweb/gitweb.perl | 31 +++++++++++++---------- t/gitweb-lib.sh | 7 ++--- t/t9502-gitweb-standalone-parse-output.sh | 7 ++--- 3 files changed, 25 insertions(+), 20 deletions(-) -Peff
