Mercurial > hg
comparison mercurial/templates/spartan/map @ 18526:9409aeaafdc1 stable
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Without this, repository paths or names containing e.g. & characters or html
tags yielded strange results, possibly allowing cross-site scripting attacks.
| author | Thomas Arendsen Hein <thomas@intevation.de> |
|---|---|
| date | Fri, 01 Feb 2013 20:43:35 +0100 |
| parents | bebb05a7e249 |
| children | 9e1f4c65f5f5 |
comparison
equal
deleted
inserted
replaced
| 18525:462579cbad45 | 18526:9409aeaafdc1 |
|---|---|
| 5 search = search.tmpl | 5 search = search.tmpl |
| 6 changelog = changelog.tmpl | 6 changelog = changelog.tmpl |
| 7 shortlog = shortlog.tmpl | 7 shortlog = shortlog.tmpl |
| 8 shortlogentry = shortlogentry.tmpl | 8 shortlogentry = shortlogentry.tmpl |
| 9 graph = graph.tmpl | 9 graph = graph.tmpl |
| 10 naventry = '<a href="{url}log/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 10 naventry = '<a href="{url|urlescape}log/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
| 11 navshortentry = '<a href="{url}shortlog/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 11 navshortentry = '<a href="{url|urlescape}shortlog/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
| 12 navgraphentry = '<a href="{url}graph/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' | 12 navgraphentry = '<a href="{url|urlescape}graph/{node|short}{sessionvars%urlparameter}">{label|escape}</a> ' |
| 13 filenaventry = '<a href="{url}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{label|escape}</a> ' | 13 filenaventry = '<a href="{url|urlescape}log/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{label|escape}</a> ' |
| 14 filedifflink = '<a href="{url}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' | 14 filedifflink = '<a href="{url|urlescape}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' |
| 15 filenodelink = '<a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' | 15 filenodelink = '<a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{file|escape}</a> ' |
| 16 filenolink = '{file|escape} ' | 16 filenolink = '{file|escape} ' |
| 17 fileellipses = '...' | 17 fileellipses = '...' |
| 18 changelogentry = changelogentry.tmpl | 18 changelogentry = changelogentry.tmpl |
| 19 searchentry = changelogentry.tmpl | 19 searchentry = changelogentry.tmpl |
| 20 changeset = changeset.tmpl | 20 changeset = changeset.tmpl |
| 29 <tr class="parity{parity}"> | 29 <tr class="parity{parity}"> |
| 30 <td><tt>drwxr-xr-x</tt> | 30 <td><tt>drwxr-xr-x</tt> |
| 31 <td> | 31 <td> |
| 32 <td> | 32 <td> |
| 33 <td> | 33 <td> |
| 34 <a href="{url}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">{basename|escape}/</a> | 34 <a href="{url|urlescape}file/{node|short}{path|urlescape}{sessionvars%urlparameter}">{basename|escape}/</a> |
| 35 <a href="{url}file/{node|short}{path|urlescape}/{emptydirs|urlescape}{sessionvars%urlparameter}"> | 35 <a href="{url|urlescape}file/{node|short}{path|urlescape}/{emptydirs|urlescape}{sessionvars%urlparameter}"> |
| 36 {emptydirs|urlescape} | 36 {emptydirs|urlescape} |
| 37 </a>' | 37 </a>' |
| 38 | 38 |
| 39 fileentry = ' | 39 fileentry = ' |
| 40 <tr class="parity{parity}"> | 40 <tr class="parity{parity}"> |
| 41 <td><tt>{permissions|permissions}</tt> | 41 <td><tt>{permissions|permissions}</tt> |
| 42 <td align=right><tt class="date">{date|isodate}</tt> | 42 <td align=right><tt class="date">{date|isodate}</tt> |
| 43 <td align=right><tt>{size}</tt> | 43 <td align=right><tt>{size}</tt> |
| 44 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{basename|escape}</a>' | 44 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{basename|escape}</a>' |
| 45 | 45 |
| 46 filerevision = filerevision.tmpl | 46 filerevision = filerevision.tmpl |
| 47 fileannotate = fileannotate.tmpl | 47 fileannotate = fileannotate.tmpl |
| 48 filediff = filediff.tmpl | 48 filediff = filediff.tmpl |
| 49 filelog = filelog.tmpl | 49 filelog = filelog.tmpl |
| 54 # is an empty line in the annotated file), which in turn ensures that | 54 # is an empty line in the annotated file), which in turn ensures that |
| 55 # all table rows have equal height. | 55 # all table rows have equal height. |
| 56 annotateline = ' | 56 annotateline = ' |
| 57 <tr class="parity{parity}"> | 57 <tr class="parity{parity}"> |
| 58 <td class="annotate"> | 58 <td class="annotate"> |
| 59 <a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}#l{targetline}" | 59 <a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}#l{targetline}" |
| 60 title="{node|short}: {desc|escape|firstline}">{author|user}@{rev}</a> | 60 title="{node|short}: {desc|escape|firstline}">{author|user}@{rev}</a> |
| 61 </td> | 61 </td> |
| 62 <td> | 62 <td> |
| 63 <a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a> | 63 <a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a> |
| 64 </td> | 64 </td> |
| 70 diffline = '<a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a>{line|escape}' | 70 diffline = '<a class="lineno" href="#{lineid}" id="{lineid}">{linenumber}</a>{line|escape}' |
| 71 changelogparent = ' | 71 changelogparent = ' |
| 72 <tr> | 72 <tr> |
| 73 <th class="parent">parent {rev}:</th> | 73 <th class="parent">parent {rev}:</th> |
| 74 <td class="parent"> | 74 <td class="parent"> |
| 75 <a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a> | 75 <a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a> |
| 76 </td> | 76 </td> |
| 77 </tr>' | 77 </tr>' |
| 78 changesetparent = ' | 78 changesetparent = ' |
| 79 <tr> | 79 <tr> |
| 80 <th class="parent">parent {rev}:</th> | 80 <th class="parent">parent {rev}:</th> |
| 81 <td class="parent"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 81 <td class="parent"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
| 82 </tr>' | 82 </tr>' |
| 83 filerevparent = ' | 83 filerevparent = ' |
| 84 <tr> | 84 <tr> |
| 85 <td class="metatag">parent:</td> | 85 <td class="metatag">parent:</td> |
| 86 <td> | 86 <td> |
| 87 <a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 87 <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
| 88 {rename%filerename}{node|short} | 88 {rename%filerename}{node|short} |
| 89 </a> | 89 </a> |
| 90 </td> | 90 </td> |
| 91 </tr>' | 91 </tr>' |
| 92 filerename = '{file|escape}@' | 92 filerename = '{file|escape}@' |
| 93 filelogrename = ' | 93 filelogrename = ' |
| 94 <tr> | 94 <tr> |
| 95 <th>base:</th> | 95 <th>base:</th> |
| 96 <td> | 96 <td> |
| 97 <a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 97 <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
| 98 {file|escape}@{node|short} | 98 {file|escape}@{node|short} |
| 99 </a> | 99 </a> |
| 100 </td> | 100 </td> |
| 101 </tr>' | 101 </tr>' |
| 102 fileannotateparent = ' | 102 fileannotateparent = ' |
| 103 <tr> | 103 <tr> |
| 104 <td class="metatag">parent:</td> | 104 <td class="metatag">parent:</td> |
| 105 <td> | 105 <td> |
| 106 <a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> | 106 <a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}"> |
| 107 {rename%filerename}{node|short} | 107 {rename%filerename}{node|short} |
| 108 </a> | 108 </a> |
| 109 </td> | 109 </td> |
| 110 </tr>' | 110 </tr>' |
| 111 changesetchild = ' | 111 changesetchild = ' |
| 112 <tr> | 112 <tr> |
| 113 <th class="child">child {rev}:</th> | 113 <th class="child">child {rev}:</th> |
| 114 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 114 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
| 115 </tr>' | 115 </tr>' |
| 116 changelogchild = ' | 116 changelogchild = ' |
| 117 <tr> | 117 <tr> |
| 118 <th class="child">child {rev}:</th> | 118 <th class="child">child {rev}:</th> |
| 119 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 119 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
| 120 </tr>' | 120 </tr>' |
| 121 filerevchild = ' | 121 filerevchild = ' |
| 122 <tr> | 122 <tr> |
| 123 <td class="metatag">child:</td> | 123 <td class="metatag">child:</td> |
| 124 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 124 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
| 125 </tr>' | 125 </tr>' |
| 126 fileannotatechild = ' | 126 fileannotatechild = ' |
| 127 <tr> | 127 <tr> |
| 128 <td class="metatag">child:</td> | 128 <td class="metatag">child:</td> |
| 129 <td><a href="{url}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 129 <td><a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
| 130 </tr>' | 130 </tr>' |
| 131 tags = tags.tmpl | 131 tags = tags.tmpl |
| 132 tagentry = ' | 132 tagentry = ' |
| 133 <li class="tagEntry parity{parity}"> | 133 <li class="tagEntry parity{parity}"> |
| 134 <tt class="node">{node}</tt> | 134 <tt class="node">{node}</tt> |
| 135 <a href="{url}rev/{node|short}{sessionvars%urlparameter}">{tag|escape}</a> | 135 <a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{tag|escape}</a> |
| 136 </li>' | 136 </li>' |
| 137 branches = branches.tmpl | 137 branches = branches.tmpl |
| 138 branchentry = ' | 138 branchentry = ' |
| 139 <li class="tagEntry parity{parity}"> | 139 <li class="tagEntry parity{parity}"> |
| 140 <tt class="node">{node}</tt> | 140 <tt class="node">{node}</tt> |
| 141 <a href="{url}shortlog/{node|short}{sessionvars%urlparameter}" class="{status}">{branch|escape}</a> | 141 <a href="{url|urlescape}shortlog/{node|short}{sessionvars%urlparameter}" class="{status}">{branch|escape}</a> |
| 142 </li>' | 142 </li>' |
| 143 diffblock = '<pre class="parity{parity}">{lines}</pre>' | 143 diffblock = '<pre class="parity{parity}">{lines}</pre>' |
| 144 changelogtag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' | 144 changelogtag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' |
| 145 changesettag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' | 145 changesettag = '<tr><th class="tag">tag:</th><td class="tag">{tag|escape}</td></tr>' |
| 146 filediffparent = ' | 146 filediffparent = ' |
| 147 <tr> | 147 <tr> |
| 148 <th class="parent">parent {rev}:</th> | 148 <th class="parent">parent {rev}:</th> |
| 149 <td class="parent"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 149 <td class="parent"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
| 150 </tr>' | 150 </tr>' |
| 151 filelogparent = ' | 151 filelogparent = ' |
| 152 <tr> | 152 <tr> |
| 153 <th>parent {rev}:</th> | 153 <th>parent {rev}:</th> |
| 154 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 154 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
| 155 </tr>' | 155 </tr>' |
| 156 filediffchild = ' | 156 filediffchild = ' |
| 157 <tr> | 157 <tr> |
| 158 <th class="child">child {rev}:</th> | 158 <th class="child">child {rev}:</th> |
| 159 <td class="child"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> | 159 <td class="child"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> |
| 160 </tr>' | 160 </tr>' |
| 161 filelogchild = ' | 161 filelogchild = ' |
| 162 <tr> | 162 <tr> |
| 163 <th>child {rev}:</th> | 163 <th>child {rev}:</th> |
| 164 <td><a href="{url}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> | 164 <td><a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">{node|short}</a></td> |
| 165 </tr>' | 165 </tr>' |
| 166 indexentry = ' | 166 indexentry = ' |
| 167 <tr class="parity{parity}"> | 167 <tr class="parity{parity}"> |
| 168 <td><a href="{url}{sessionvars%urlparameter}">{name|escape}</a></td> | 168 <td><a href="{url|urlescape}{sessionvars%urlparameter}">{name|escape}</a></td> |
| 169 <td>{description}</td> | 169 <td>{description}</td> |
| 170 <td>{contact|obfuscate}</td> | 170 <td>{contact|obfuscate}</td> |
| 171 <td class="age">{lastchange|rfc822date}</td> | 171 <td class="age">{lastchange|rfc822date}</td> |
| 172 <td class="indexlinks"> | 172 <td class="indexlinks"> |
| 173 <a href="{url}rss-log">RSS</a> | 173 <a href="{url|urlescape}rss-log">RSS</a> |
| 174 <a href="{url}atom-log">Atom</a> | 174 <a href="{url|urlescape}atom-log">Atom</a> |
| 175 {archives%archiveentry} | 175 {archives%archiveentry} |
| 176 </td> | 176 </td> |
| 177 </tr>' | 177 </tr>' |
| 178 index = index.tmpl | 178 index = index.tmpl |
| 179 archiveentry = '<a href="{url}archive/{node|short}{extension|urlescape}">{type|escape}</a> ' | 179 archiveentry = '<a href="{url|urlescape}archive/{node|short}{extension|urlescape}">{type|escape}</a> ' |
| 180 notfound = notfound.tmpl | 180 notfound = notfound.tmpl |
| 181 error = error.tmpl | 181 error = error.tmpl |
| 182 urlparameter = '{separator}{name}={value|urlescape}' | 182 urlparameter = '{separator}{name}={value|urlescape}' |
| 183 hiddenformentry = '<input type="hidden" name="{name}" value="{value|escape}" />' | 183 hiddenformentry = '<input type="hidden" name="{name}" value="{value|escape}" />' |
| 184 breadcrumb = '> <a href="{url}">{name}</a> ' | 184 breadcrumb = '> <a href="{url|urlescape}">{name|escape}</a> ' |