Mercurial > hg
comparison mercurial/templates/gitweb/fileannotate.tmpl @ 18526:9409aeaafdc1 stable
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Without this, repository paths or names containing e.g. & characters or html
tags yielded strange results, possibly allowing cross-site scripting attacks.
author | Thomas Arendsen Hein <thomas@intevation.de> |
---|---|
date | Fri, 01 Feb 2013 20:43:35 +0100 |
parents | bebb05a7e249 |
children | 52305554fd6e |
comparison
equal
deleted
inserted
replaced
18525:462579cbad45 | 18526:9409aeaafdc1 |
---|---|
1 {header} | 1 {header} |
2 <title>{repo|escape}: {file|escape}@{node|short} (annotated)</title> | 2 <title>{repo|escape}: {file|escape}@{node|short} (annotated)</title> |
3 <link rel="alternate" type="application/atom+xml" | 3 <link rel="alternate" type="application/atom+xml" |
4 href="{url}atom-log" title="Atom feed for {repo|escape}"/> | 4 href="{url|urlescape}atom-log" title="Atom feed for {repo|escape}"/> |
5 <link rel="alternate" type="application/rss+xml" | 5 <link rel="alternate" type="application/rss+xml" |
6 href="{url}rss-log" title="RSS feed for {repo|escape}"/> | 6 href="{url|urlescape}rss-log" title="RSS feed for {repo|escape}"/> |
7 </head> | 7 </head> |
8 <body> | 8 <body> |
9 | 9 |
10 <div class="page_header"> | 10 <div class="page_header"> |
11 <a href="{logourl}" title="Mercurial" style="float: right;">Mercurial</a> | 11 <a href="{logourl}" title="Mercurial" style="float: right;">Mercurial</a> |
12 <a href="/">Mercurial</a> {pathdef%breadcrumb} / annotate | 12 <a href="/">Mercurial</a> {pathdef%breadcrumb} / annotate |
13 </div> | 13 </div> |
14 | 14 |
15 <div class="page_nav"> | 15 <div class="page_nav"> |
16 <a href="{url}summary{sessionvars%urlparameter}">summary</a> | | 16 <a href="{url|urlescape}summary{sessionvars%urlparameter}">summary</a> | |
17 <a href="{url}shortlog{sessionvars%urlparameter}">shortlog</a> | | 17 <a href="{url|urlescape}shortlog{sessionvars%urlparameter}">shortlog</a> | |
18 <a href="{url}log{sessionvars%urlparameter}">changelog</a> | | 18 <a href="{url|urlescape}log{sessionvars%urlparameter}">changelog</a> | |
19 <a href="{url}graph{sessionvars%urlparameter}">graph</a> | | 19 <a href="{url|urlescape}graph{sessionvars%urlparameter}">graph</a> | |
20 <a href="{url}tags{sessionvars%urlparameter}">tags</a> | | 20 <a href="{url|urlescape}tags{sessionvars%urlparameter}">tags</a> | |
21 <a href="{url}bookmarks{sessionvars%urlparameter}">bookmarks</a> | | 21 <a href="{url|urlescape}bookmarks{sessionvars%urlparameter}">bookmarks</a> | |
22 <a href="{url}branches{sessionvars%urlparameter}">branches</a> | | 22 <a href="{url|urlescape}branches{sessionvars%urlparameter}">branches</a> | |
23 <a href="{url}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">files</a> | | 23 <a href="{url|urlescape}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">files</a> | |
24 <a href="{url}rev/{node|short}{sessionvars%urlparameter}">changeset</a> | | 24 <a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">changeset</a> | |
25 <a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">file</a> | | 25 <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">file</a> | |
26 <a href="{url}file/tip/{file|urlescape}{sessionvars%urlparameter}">latest</a> | | 26 <a href="{url|urlescape}file/tip/{file|urlescape}{sessionvars%urlparameter}">latest</a> | |
27 <a href="{url}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">revisions</a> | | 27 <a href="{url|urlescape}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">revisions</a> | |
28 annotate | | 28 annotate | |
29 <a href="{url}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">diff</a> | | 29 <a href="{url|urlescape}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">diff</a> | |
30 <a href="{url}comparison/{node|short}/{file|urlescape}{sessionvars%urlparameter}">comparison</a> | | 30 <a href="{url|urlescape}comparison/{node|short}/{file|urlescape}{sessionvars%urlparameter}">comparison</a> | |
31 <a href="{url}raw-annotate/{node|short}/{file|urlescape}">raw</a> | | 31 <a href="{url|urlescape}raw-annotate/{node|short}/{file|urlescape}">raw</a> | |
32 <a href="{url}help{sessionvars%urlparameter}">help</a> | 32 <a href="{url|urlescape}help{sessionvars%urlparameter}">help</a> |
33 <br/> | 33 <br/> |
34 </div> | 34 </div> |
35 | 35 |
36 <div class="title">{file|escape}</div> | 36 <div class="title">{file|escape}</div> |
37 | 37 |
44 <td></td> | 44 <td></td> |
45 <td class="date age">{date|rfc822date}</td></tr> | 45 <td class="date age">{date|rfc822date}</td></tr> |
46 {branch%filerevbranch} | 46 {branch%filerevbranch} |
47 <tr> | 47 <tr> |
48 <td>changeset {rev}</td> | 48 <td>changeset {rev}</td> |
49 <td style="font-family:monospace"><a class="list" href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td></tr> | 49 <td style="font-family:monospace"><a class="list" href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td></tr> |
50 {parent%fileannotateparent} | 50 {parent%fileannotateparent} |
51 {child%fileannotatechild} | 51 {child%fileannotatechild} |
52 <tr> | 52 <tr> |
53 <td>permissions</td> | 53 <td>permissions</td> |
54 <td style="font-family:monospace">{permissions|permissions}</td></tr> | 54 <td style="font-family:monospace">{permissions|permissions}</td></tr> |