Mercurial > hg
diff mercurial/templates/spartan/changeset.tmpl @ 18526:9409aeaafdc1 stable
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Without this, repository paths or names containing e.g. & characters or html
tags yielded strange results, possibly allowing cross-site scripting attacks.
author | Thomas Arendsen Hein <thomas@intevation.de> |
---|---|
date | Fri, 01 Feb 2013 20:43:35 +0100 |
parents | 7bf412b767fe |
children | 52305554fd6e |
line wrap: on
line diff
--- a/mercurial/templates/spartan/changeset.tmpl Fri Feb 01 15:14:05 2013 -0600 +++ b/mercurial/templates/spartan/changeset.tmpl Fri Feb 01 20:43:35 2013 +0100 @@ -4,15 +4,15 @@ <body> <div class="buttons"> -<a href="{url}log/{rev}{sessionvars%urlparameter}">changelog</a> -<a href="{url}shortlog/{rev}{sessionvars%urlparameter}">shortlog</a> -<a href="{url}graph{sessionvars%urlparameter}">graph</a> -<a href="{url}tags{sessionvars%urlparameter}">tags</a> -<a href="{url}branches{sessionvars%urlparameter}">branches</a> -<a href="{url}file/{node|short}{sessionvars%urlparameter}">files</a> -<a href="{url}raw-rev/{node|short}">raw</a> +<a href="{url|urlescape}log/{rev}{sessionvars%urlparameter}">changelog</a> +<a href="{url|urlescape}shortlog/{rev}{sessionvars%urlparameter}">shortlog</a> +<a href="{url|urlescape}graph{sessionvars%urlparameter}">graph</a> +<a href="{url|urlescape}tags{sessionvars%urlparameter}">tags</a> +<a href="{url|urlescape}branches{sessionvars%urlparameter}">branches</a> +<a href="{url|urlescape}file/{node|short}{sessionvars%urlparameter}">files</a> +<a href="{url|urlescape}raw-rev/{node|short}">raw</a> {archives%archiveentry} -<a href="{url}help{sessionvars%urlparameter}">help</a> +<a href="{url|urlescape}help{sessionvars%urlparameter}">help</a> </div> <h2><a href="/">Mercurial</a> {pathdef%breadcrumb} / changeset: {desc|strip|escape|firstline|nonempty}</h2> @@ -20,7 +20,7 @@ <table id="changesetEntry"> <tr> <th class="changeset">changeset {rev}:</th> - <td class="changeset"><a href="{url}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> + <td class="changeset"><a href="{url|urlescape}rev/{node|short}{sessionvars%urlparameter}">{node|short}</a></td> </tr> {parent%changesetparent} {child%changesetchild}