ui-diff.c: avoid html injection

When path-filtering was used in commit-view, the path filter was included without proper html escaping. This patch closes the hole. Signed-off-by: Lukasz Janyst <ljanyst@cern.ch> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
author: Lukasz Janyst <ljanyst@cern.ch> 2011-03-05 13:10:55 (UTC)
committer: Lars Hjemli <hjemli@gmail.com> 2011-03-05 13:13:06 (UTC)
commit: 7f3c6e0ce9b41142cf2707af100992acdce059df (patch) (side-by-side diff)
tree: 119a1920c85adcc65017afc8d9d95ab3e2bafef4
parent: 1b09cbd303d889ec2636127584d57b7f1b70c25e (diff)
download: cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.zip
cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.tar.gz
cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.tar.bz2
1 files changed, 5 insertions, 2 deletions
diff --git a/ui-diff.c b/ui-diff.c
index a53425d..a7bc667 100644
--- a/ui-diff.c
+++ b/ui-diff.c
@@ -174,4 +174,7 @@ void cgit_print_diffstat(const unsigned char *old_sha1,
 		       ctx.qry.sha2, NULL, 0);
-	if (prefix)
-		htmlf(" (limited to '%s')", prefix);
+	if (prefix) {
+		html(" (limited to '");
+		html_txt(prefix);
+		html("')");
+	}
 	html(" (");
author	Lukasz Janyst <ljanyst@cern.ch>	2011-03-05 13:10:55 (UTC)
committer	Lars Hjemli <hjemli@gmail.com>	2011-03-05 13:13:06 (UTC)
commit	7f3c6e0ce9b41142cf2707af100992acdce059df (patch) (side-by-side diff)
tree	119a1920c85adcc65017afc8d9d95ab3e2bafef4
parent	1b09cbd303d889ec2636127584d57b7f1b70c25e (diff)
download	cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.zip cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.tar.gz cgit-7f3c6e0ce9b41142cf2707af100992acdce059df.tar.bz2