Fossil SCM
Fix an XSS issue with the /help webpage.
Commit
db482f1675d5d084ab7f637582256ab7eda3d625e77f3a3ff8080c19142e208d
Parent
12ab581fdac0c7d…
1 file changed
+5
-5
+5
-5
| --- src/dispatch.c | ||
| +++ src/dispatch.c | ||
| @@ -243,22 +243,22 @@ | ||
| 243 | 243 | |
| 244 | 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | 245 | if( *zCmd=='/' ){ |
| 246 | 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | - @ <h1>The "%s(zCmd)" page:</h1> | |
| 248 | + @ <h1>The "%h(zCmd)" page:</h1> | |
| 249 | 249 | }else{ |
| 250 | - @ <h1>The "%s(zCmd)" command:</h1> | |
| 250 | + @ <h1>The "%h(zCmd)" command:</h1> | |
| 251 | 251 | } |
| 252 | 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | 253 | if( rc==1 ){ |
| 254 | - @ unknown command: %s(zCmd) | |
| 254 | + @ unknown command: %h(zCmd) | |
| 255 | 255 | }else if( rc==2 ){ |
| 256 | - @ ambiguous command prefix: %s(zCmd) | |
| 256 | + @ ambiguous command prefix: %h(zCmd) | |
| 257 | 257 | }else{ |
| 258 | 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | - @ no help available for the %s(pCmd->zName) command | |
| 259 | + @ no help available for the %h(pCmd->zName) command | |
| 260 | 260 | }else{ |
| 261 | 261 | @ <blockquote> |
| 262 | 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | 263 | @ </blockquote> |
| 264 | 264 | } |
| 265 | 265 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -243,22 +243,22 @@ | |
| 243 | |
| 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | if( *zCmd=='/' ){ |
| 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | @ <h1>The "%s(zCmd)" page:</h1> |
| 249 | }else{ |
| 250 | @ <h1>The "%s(zCmd)" command:</h1> |
| 251 | } |
| 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | if( rc==1 ){ |
| 254 | @ unknown command: %s(zCmd) |
| 255 | }else if( rc==2 ){ |
| 256 | @ ambiguous command prefix: %s(zCmd) |
| 257 | }else{ |
| 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | @ no help available for the %s(pCmd->zName) command |
| 260 | }else{ |
| 261 | @ <blockquote> |
| 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | @ </blockquote> |
| 264 | } |
| 265 |
| --- src/dispatch.c | |
| +++ src/dispatch.c | |
| @@ -243,22 +243,22 @@ | |
| 243 | |
| 244 | style_submenu_element("Command-List", "%s/help", g.zTop); |
| 245 | if( *zCmd=='/' ){ |
| 246 | /* Some of the webpages require query parameters in order to work. |
| 247 | ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */ |
| 248 | @ <h1>The "%h(zCmd)" page:</h1> |
| 249 | }else{ |
| 250 | @ <h1>The "%h(zCmd)" command:</h1> |
| 251 | } |
| 252 | rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd); |
| 253 | if( rc==1 ){ |
| 254 | @ unknown command: %h(zCmd) |
| 255 | }else if( rc==2 ){ |
| 256 | @ ambiguous command prefix: %h(zCmd) |
| 257 | }else{ |
| 258 | if( pCmd->zHelp[0]==0 ){ |
| 259 | @ no help available for the %h(pCmd->zName) command |
| 260 | }else{ |
| 261 | @ <blockquote> |
| 262 | help_to_html(pCmd->zHelp, cgi_output_blob()); |
| 263 | @ </blockquote> |
| 264 | } |
| 265 |