Mercurial > hg
comparison mercurial/templates/spartan/map @ 18526:9409aeaafdc1 stable
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Without this, repository paths or names containing e.g. & characters or html
tags yielded strange results, possibly allowing cross-site scripting attacks.
author | Thomas Arendsen Hein <thomas@intevation.de> |
---|---|
date | Fri, 01 Feb 2013 20:43:35 +0100 |
parents | bebb05a7e249 |
children | 9e1f4c65f5f5 |
comparison
equal
deleted
inserted
replaced
18525:462579cbad45 | 18526:9409aeaafdc1 |
---|---|
5 search = search.tmpl | 5 search = search.tmpl |
6 changelog = changelog.tmpl | 6 changelog = changelog.tmpl |
7 shortlog = shortlog.tmpl | 7 shortlog = shortlog.tmpl |
8 shortlogentry = shortlogentry.tmpl | 8 shortlogentry = shortlogentry.tmpl |
9 graph = graph.tmpl | 9 graph = graph.tmpl |
10 naventry = '<a href="{url}log/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 10 naventry = '<a href="{url|urlescape}log/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
11 navshortentry = '<a href="{url}shortlog/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 11 navshortentry = '<a href="{url|urlescape}shortlog/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
12 navgraphentry = '<a href="{url}graph/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 12 navgraphentry = '<a href="{url|urlescape}graph/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
13 filenaventry = '<a href="{url}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{label|escape}</a> ' | 13 filenaventry = '<a href="{url|urlescape}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{label|escape}</a> ' |
14 filedifflink = '<a href="{url}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' | 14 filedifflink = '<a href="{url|urlescape}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' |
15 filenodelink = '<a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' | 15 filenodelink = '<a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' |
16 filenolink = '{file|escape} ' | 16 filenolink = '{file|escape} ' |
17 fileellipses = '...' | 17 fileellipses = '...' |
18 changelogentry = changelogentry.tmpl | 18 changelogentry = changelogentry.tmpl |
19 searchentry = changelogentry.tmpl | 19 searchentry = changelogentry.tmpl |
20 changeset = changeset.tmpl | 20 changeset = changeset.tmpl |
29 <tr class="parity{parity}"> | 29 <tr class="parity{parity}"> |
30 <td><tt>drwxr-xr-x</tt> | 30 <td><tt>drwxr-xr-x</tt> |
31 <td> | 31 <td> |
32 <td> | 32 <td> |
33 <td> | 33 <td> |
34 <a href="{url}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">{basename|escape}/</a> | 34 <a href="{url|urlescape}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">{basename|escape}/</a> |
35 <a href="{url}file/{node|short}{path|urlescape}/{emptydirs|urlescape}{sessionvars%urlparameter}"> | 35 <a href="{url|urlescape}file/{node|short}{path|urlescape}/{emptydirs|urlescape}{sessionvars%urlparameter}"> |
36 {emptydirs|urlescape} | 36 {emptydirs|urlescape} |
37 </a>' | 37 </a>' |
38 | 38 |
39 fileentry = ' | 39 fileentry = ' |
40 <tr class="parity{parity}"> | 40 <tr class="parity{parity}"> |
41 <td><tt>{permissions|permissions}</tt> | 41 <td><tt>{permissions|permissions}</tt> |
42 <td align=right><tt class="date">{date|isodate}</tt> | 42 <td align=right><tt class="date">{date|isodate}</tt> |
43 <td align=right><tt>{size}</tt> | 43 <td align=right><tt>{size}</tt> |
44 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{basename|escape}</a>' | 44 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{basename|escape}</a>' |
45 | 45 |
46 filerevision = filerevision.tmpl | 46 filerevision = filerevision.tmpl |
47 fileannotate = fileannotate.tmpl | 47 fileannotate = fileannotate.tmpl |
48 filediff = filediff.tmpl | 48 filediff = filediff.tmpl |
49 filelog = filelog.tmpl | 49 filelog = filelog.tmpl |
54 # is an empty line in the annotated file), which in turn ensures that | 54 # is an empty line in the annotated file), which in turn ensures that |
55 # all table rows have equal height. | 55 # all table rows have equal height. |
56 annotateline = ' | 56 annotateline = ' |
57 <tr class="parity{parity}"> | 57 <tr class="parity{parity}"> |
58 <td class="annotate"> | 58 <td class="annotate"> |
59 <a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}#l{targetline}" | 59 <a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}#l{targetline}" |
60 title="{node|short}: {desc|escape|firstline}">{author|user}@{rev}</a> | 60 title="{node|short}: {desc|escape|firstline}">{author|user}@{rev}</a> |
61 </td> | 61 </td> |
62 <td> | 62 <td> |
63 <a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a> | 63 <a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a> |
64 </td> | 64 </td> |
70 diffline = '<a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a>{line|escape}' | 70 diffline = '<a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a>{line|escape}' |
71 changelogparent = ' | 71 changelogparent = ' |
72 <tr> | 72 <tr> |
73 <th class="parent">parent {rev}:</th> | 73 <th class="parent">parent {rev}:</th> |
74 <td class="parent"> | 74 <td class="parent"> |
75 <a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a> | 75 <a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a> |
76 </td> | 76 </td> |
77 </tr>' | 77 </tr>' |
78 changesetparent = ' | 78 changesetparent = ' |
79 <tr> | 79 <tr> |
80 <th class="parent">parent {rev}:</th> | 80 <th class="parent">parent {rev}:</th> |
81 <td class="parent"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 81 <td class="parent"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
82 </tr>' | 82 </tr>' |
83 filerevparent = ' | 83 filerevparent = ' |
84 <tr> | 84 <tr> |
85 <td class="metatag">parent:</td> | 85 <td class="metatag">parent:</td> |
86 <td> | 86 <td> |
87 <a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 87 <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
88 {rename%filerename}{node|short} | 88 {rename%filerename}{node|short} |
89 </a> | 89 </a> |
90 </td> | 90 </td> |
91 </tr>' | 91 </tr>' |
92 filerename = '{file|escape}@' | 92 filerename = '{file|escape}@' |
93 filelogrename = ' | 93 filelogrename = ' |
94 <tr> | 94 <tr> |
95 <th>base:</th> | 95 <th>base:</th> |
96 <td> | 96 <td> |
97 <a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 97 <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
98 {file|escape}@{node|short} | 98 {file|escape}@{node|short} |
99 </a> | 99 </a> |
100 </td> | 100 </td> |
101 </tr>' | 101 </tr>' |
102 fileannotateparent = ' | 102 fileannotateparent = ' |
103 <tr> | 103 <tr> |
104 <td class="metatag">parent:</td> | 104 <td class="metatag">parent:</td> |
105 <td> | 105 <td> |
106 <a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 106 <a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
107 {rename%filerename}{node|short} | 107 {rename%filerename}{node|short} |
108 </a> | 108 </a> |
109 </td> | 109 </td> |
110 </tr>' | 110 </tr>' |
111 changesetchild = ' | 111 changesetchild = ' |
112 <tr> | 112 <tr> |
113 <th class="child">child {rev}:</th> | 113 <th class="child">child {rev}:</th> |
114 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 114 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
115 </tr>' | 115 </tr>' |
116 changelogchild = ' | 116 changelogchild = ' |
117 <tr> | 117 <tr> |
118 <th class="child">child {rev}:</th> | 118 <th class="child">child {rev}:</th> |
119 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 119 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
120 </tr>' | 120 </tr>' |
121 filerevchild = ' | 121 filerevchild = ' |
122 <tr> | 122 <tr> |
123 <td class="metatag">child:</td> | 123 <td class="metatag">child:</td> |
124 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 124 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
125 </tr>' | 125 </tr>' |
126 fileannotatechild = ' | 126 fileannotatechild = ' |
127 <tr> | 127 <tr> |
128 <td class="metatag">child:</td> | 128 <td class="metatag">child:</td> |
129 <td><a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 129 <td><a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
130 </tr>' | 130 </tr>' |
131 tags = tags.tmpl | 131 tags = tags.tmpl |
132 tagentry = ' | 132 tagentry = ' |
133 <li class="tagEntry parity{parity}"> | 133 <li class="tagEntry parity{parity}"> |
134 <tt class="node">{node}</tt> | 134 <tt class="node">{node}</tt> |
135 <a href="{url}rev/{node|short}{sessionvars%urlparameter}">{tag|escape}</a> | 135 <a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{tag|escape}</a> |
136 </li>' | 136 </li>' |
137 branches = branches.tmpl | 137 branches = branches.tmpl |
138 branchentry = ' | 138 branchentry = ' |
139 <li class="tagEntry parity{parity}"> | 139 <li class="tagEntry parity{parity}"> |
140 <tt class="node">{node}</tt> | 140 <tt class="node">{node}</tt> |
141 <a href="{url}shortlog/{node|short}{sessionvars%urlparameter}" class="{status}">{branch|escape}</a> | 141 <a href="{url|urlescape}shortlog/{node|short}{sessionvars%urlparameter}" class="{status}">{branch|escape}</a> |
142 </li>' | 142 </li>' |
143 diffblock = '<pre class="parity{parity}">{lines}</pre>' | 143 diffblock = '<pre class="parity{parity}">{lines}</pre>' |
144 changelogtag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' | 144 changelogtag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' |
145 changesettag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' | 145 changesettag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' |
146 filediffparent = ' | 146 filediffparent = ' |
147 <tr> | 147 <tr> |
148 <th class="parent">parent {rev}:</th> | 148 <th class="parent">parent {rev}:</th> |
149 <td class="parent"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 149 <td class="parent"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
150 </tr>' | 150 </tr>' |
151 filelogparent = ' | 151 filelogparent = ' |
152 <tr> | 152 <tr> |
153 <th>parent {rev}:</th> | 153 <th>parent {rev}:</th> |
154 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 154 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
155 </tr>' | 155 </tr>' |
156 filediffchild = ' | 156 filediffchild = ' |
157 <tr> | 157 <tr> |
158 <th class="child">child {rev}:</th> | 158 <th class="child">child {rev}:</th> |
159 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 159 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
160 </tr>' | 160 </tr>' |
161 filelogchild = ' | 161 filelogchild = ' |
162 <tr> | 162 <tr> |
163 <th>child {rev}:</th> | 163 <th>child {rev}:</th> |
164 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 164 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
165 </tr>' | 165 </tr>' |
166 indexentry = ' | 166 indexentry = ' |
167 <tr class="parity{parity}"> | 167 <tr class="parity{parity}"> |
168 <td><a href="{url}{sessionvars%urlparameter}">{name|escape}</a></td> | 168 <td><a href="{url|urlescape}{sessionvars%urlparameter}">{name|escape}</a></td> |
169 <td>{description}</td> | 169 <td>{description}</td> |
170 <td>{contact|obfuscate}</td> | 170 <td>{contact|obfuscate}</td> |
171 <td class="age">{lastchange|rfc822date}</td> | 171 <td class="age">{lastchange|rfc822date}</td> |
172 <td class="indexlinks"> | 172 <td class="indexlinks"> |
173 <a href="{url}rss-log">RSS</a> | 173 <a href="{url|urlescape}rss-log">RSS</a> |
174 <a href="{url}atom-log">Atom</a> | 174 <a href="{url|urlescape}atom-log">Atom</a> |
175 {archives%archiveentry} | 175 {archives%archiveentry} |
176 </td> | 176 </td> |
177 </tr>' | 177 </tr>' |
178 index = index.tmpl | 178 index = index.tmpl |
179 archiveentry = '<a href="{url}archive/{node|short}{extension|urlescape}">{type|escape}</a> ' | 179 archiveentry = '<a href="{url|urlescape}archive/{node|short}{extension|urlescape}">{type|escape}</a> ' |
180 notfound = notfound.tmpl | 180 notfound = notfound.tmpl |
181 error = error.tmpl | 181 error = error.tmpl |
182 urlparameter = '{separator}{name}={value|urlescape}' | 182 urlparameter = '{separator}{name}={value|urlescape}' |
183 hiddenformentry = '<input type="hidden" name="{name}" value="{value|escape}" />' | 183 hiddenformentry = '<input type="hidden" name="{name}" value="{value|escape}" />' |
184 breadcrumb = '> <a href="{url}">{name}</a> ' | 184 breadcrumb = '> <a href="{url|urlescape}">{name|escape}</a> ' |