On Sun, Jul 12, 2020 at 02:00:01PM -0700, Junio C Hamano wrote:
Sorry, but I am not sure the description is understandable to the intended readers of this sentence. Where does this README.html come from?
gitweb reads a README.html from each repository to display on the summary page. 'man 1 gitweb' has a paragraph on it under "Per-repository gitweb configuration".
Is it stored in the history of the repository as a blob, and sent to the browser with a call to git_blob_plain() sub? Wouldn't that
No, it's a plain file in a bare repository, placed there either manually or by a post-update hook.
codepath send the untrusted end-user data as an attachment, in which case relative links in the blob do not get resolved relative to the base URL anyway, no?
I'm not exactly sure what you're saying. gitweb includes the README.html as-is (i.e. without escaping). If the user wanted to include an image, they'd write <img src="blob_plain/HEAD:/image.png"> (assuming this patch landed). In practise, these URLs will be rewritten by the markdown-to-html converter.
