-
Bug
-
Resolution: Fixed
-
Normal
-
None
-
None
-
None
If someone calling themselves, say, Frederik "Freso" S. Olesen made a commit with a message like ?? MBS-5523: Add missing "url" in JSON WS url-rels output.??, the "server_details.git.*" will produce bad HTML as it won't escape the quotes. This, in turn, will cause tests to break as long as it's the latest commit.
The diff below doesn't actually fix this, but it hides the error. There should probably also be made a test for this, to avoid regressions.
diff --git a/root/layout.tt b/root/layout.tt
index 13e5b93..c77e5ca 100644
--- a/root/layout.tt
+++ b/root/layout.tt
@@ -70,8 +70,8 @@
[%- IF server_details.git.branch -%]
<div class="git-branch">
[%- l('Running: <span class="tooltip" title="{msg}">{branch} ({sha})</span>',
- { branch => server_details.git.branch,
- msg => server_details.git.msg,
+ { branch => htmlescape(server_details.git.branch),
+ msg => htmlescape(server_details.git.msg),
sha => server_details.git.sha}) -%]
</div>
[%- END -%]