ui-diff.c: avoid html injection

When path-filtering was used in commit-view, the path filter was
included without proper html escaping. This patch closes the hole.

Signed-off-by: Lukasz Janyst <ljanyst@cern.ch>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/ui-diff.c b/ui-diff.c
index a53425d..a7bc667 100644
--- a/ui-diff.c
+++ b/ui-diff.c
@@ -163,26 +163,29 @@ static void inspect_filepair(struct diff_filepair *pair)
         total_adds += lines_added;
         total_rems += lines_removed;
 }
 
 void cgit_print_diffstat(const unsigned char *old_sha1,
                          const unsigned char *new_sha1, const char *prefix)
 {
         int i, save_context = ctx.qry.context;
 
         html("<div class='diffstat-header'>");
         cgit_diff_link("Diffstat", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
                        ctx.qry.sha2, NULL, 0);
-        if (prefix)
-                htmlf(" (limited to '%s')", prefix);
+        if (prefix) {
+                html(" (limited to '");
+                html_txt(prefix);
+                html("')");
+        }
         html(" (");
         ctx.qry.context = (save_context > 0 ? save_context : 3) << 1;
         cgit_self_link("more", NULL, NULL, &ctx);
         html("/");
         ctx.qry.context = (save_context > 3 ? save_context : 3) >> 1;
         cgit_self_link("less", NULL, NULL, &ctx);
         ctx.qry.context = save_context;
         html(" context)");
         html(" (");
         ctx.qry.ignorews = (ctx.qry.ignorews + 1) % 2;
         cgit_self_link(ctx.qry.ignorews ? "ignore" : "show", NULL, NULL, &ctx);
         ctx.qry.ignorews = (ctx.qry.ignorews + 1) % 2;