Fossil SCM
url quoting to avoid XSS
Commit
27f6238ce7b753697ff0d531a0f1ea1590b1e6601484813cb5e855fe801d53ab
Parent
ffb5a4671577ec0…
1 file changed
+7
-4
+7
-4
| --- src/tktsetup.c | ||
| +++ src/tktsetup.c | ||
| @@ -520,22 +520,25 @@ | ||
| 520 | 520 | @ <th1>enable_output 1</th1> |
| 521 | 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | 523 | @ <th1> |
| 524 | 524 | @ set versionlink "" |
| 525 | +@ set urlfoundin [httpize $foundin] | |
| 525 | 526 | @ query {SELECT count(*) AS match FROM tag |
| 526 | 527 | @ WHERE tagname=concat('sym-',$foundin)} { |
| 527 | -@ if {$match} {set versionlink "/timeline?t=$foundin"} | |
| 528 | +@ if {$match} {set versionlink "/timeline?t=$urlfoundin"} | |
| 528 | 529 | @ } |
| 529 | 530 | @ set pattern $foundin% |
| 530 | 531 | @ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { |
| 531 | -@ if {$match} {set versionlink "/info/$foundin"} | |
| 532 | +@ if {$match} {set versionlink "/info/$urlfoundin"} | |
| 532 | 533 | @ } |
| 533 | 534 | @ if {$versionlink eq ""} { |
| 534 | -@ html "$foundin" | |
| 535 | +@ puts $foundin | |
| 535 | 536 | @ } else { |
| 536 | -@ html "<a href=\"$versionlink\">$foundin</a>" | |
| 537 | +@ html "<a href=\"$versionlink\">" | |
| 538 | +@ puts $foundin | |
| 539 | +@ html "</a>" | |
| 537 | 540 | @ } |
| 538 | 541 | @ </th1> |
| 539 | 542 | @ </td></tr> |
| 540 | 543 | @ </table> |
| 541 | 544 | @ |
| 542 | 545 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -520,22 +520,25 @@ | |
| 520 | @ <th1>enable_output 1</th1> |
| 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | @ <th1> |
| 524 | @ set versionlink "" |
| 525 | @ query {SELECT count(*) AS match FROM tag |
| 526 | @ WHERE tagname=concat('sym-',$foundin)} { |
| 527 | @ if {$match} {set versionlink "/timeline?t=$foundin"} |
| 528 | @ } |
| 529 | @ set pattern $foundin% |
| 530 | @ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { |
| 531 | @ if {$match} {set versionlink "/info/$foundin"} |
| 532 | @ } |
| 533 | @ if {$versionlink eq ""} { |
| 534 | @ html "$foundin" |
| 535 | @ } else { |
| 536 | @ html "<a href=\"$versionlink\">$foundin</a>" |
| 537 | @ } |
| 538 | @ </th1> |
| 539 | @ </td></tr> |
| 540 | @ </table> |
| 541 | @ |
| 542 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -520,22 +520,25 @@ | |
| 520 | @ <th1>enable_output 1</th1> |
| 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | @ <th1> |
| 524 | @ set versionlink "" |
| 525 | @ set urlfoundin [httpize $foundin] |
| 526 | @ query {SELECT count(*) AS match FROM tag |
| 527 | @ WHERE tagname=concat('sym-',$foundin)} { |
| 528 | @ if {$match} {set versionlink "/timeline?t=$urlfoundin"} |
| 529 | @ } |
| 530 | @ set pattern $foundin% |
| 531 | @ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { |
| 532 | @ if {$match} {set versionlink "/info/$urlfoundin"} |
| 533 | @ } |
| 534 | @ if {$versionlink eq ""} { |
| 535 | @ puts $foundin |
| 536 | @ } else { |
| 537 | @ html "<a href=\"$versionlink\">" |
| 538 | @ puts $foundin |
| 539 | @ html "</a>" |
| 540 | @ } |
| 541 | @ </th1> |
| 542 | @ </td></tr> |
| 543 | @ </table> |
| 544 | @ |
| 545 |