Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-5548

Git commit data output isn't HTML escaped

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2012-12-10
    • Component/s: None
    • Labels:
      None

      Description

      If someone calling themselves, say, Frederik "Freso" S. Olesen made a commit with a message like ?? MBS-5523: Add missing "url" in JSON WS url-rels output.??, the "server_details.git.*" will produce bad HTML as it won't escape the quotes. This, in turn, will cause tests to break as long as it's the latest commit.

      The diff below doesn't actually fix this, but it hides the error. There should probably also be made a test for this, to avoid regressions.

      diff --git a/root/layout.tt b/root/layout.tt
      index 13e5b93..c77e5ca 100644
      --- a/root/layout.tt
      +++ b/root/layout.tt
      @@ -70,8 +70,8 @@
                       [%- IF server_details.git.branch -%]
                         <div class="git-branch">
                           [%- l('Running: <span class="tooltip" title="{msg}">{branch} ({sha})</span>',
      -                         { branch => server_details.git.branch,
      -                           msg => server_details.git.msg,
      +                         { branch => htmlescape(server_details.git.branch),
      +                           msg => htmlescape(server_details.git.msg),
                                  sha   => server_details.git.sha}) -%]
                         </div>
                       [%- END -%]
      

        Attachments

          Activity

            People

            • Assignee:
              navap Pavan Chander
              Reporter:
              freso Frederik “Freso” S. Olesen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                2012-12-10