loggerhead

  1. Bug #740142
  2. Comment #10

Comment 10 for bug 740142

Revision history for this message
John A Meinel (jameinel) wrote :

This seems to be the minimal fix:
=== modified file 'loggerhead/templatefunctions.py'
--- loggerhead/templatefunctions.py 2011-03-02 14:07:21 +0000
+++ loggerhead/templatefunctions.py 2011-03-22 14:51:59 +0000
@@ -53,12 +53,12 @@
                     cgi.escape(filename), cgi.escape(filename))
             else:
                 return revision_link(
- url, entry.revno, filename, '#' + filename)
+ url, entry.revno, filename, '#' + cgi.escape(filename, True))
     else:

I'm still poking around at some other places that might expose paths:
         def file_link(filename):
             return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % (
- url(['/revision', entry.revno]), '#' + filename, cgi.escape(filename),
- cgi.escape(entry.revno), cgi.escape(filename))
+ url(['/revision', entry.revno]), '#' + cgi.escape(filename),
+ cgi.escape(filename), cgi.escape(entry.revno), cgi.escape(filename))
     return _pt('revisionfilechanges').expand(
         entry=entry, file_changes=file_changes, file_link=file_link, **templatefunctions)

@@ -128,7 +128,7 @@
 @templatefunc
 def revision_link(url, revno, path, frag=''):
     return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % (
- url(['/revision', revno, path]), frag, cgi.escape(path),
+ url(['/revision', revno, cgi.escape(path)]), frag, cgi.escape(path),
         cgi.escape(revno), cgi.escape(path))