Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escape some raw path data before handing off to templates
* lib/viewvc.py
  (nav_path): Escape the 'name' property of navigation path components
    the same way we escape that of the 'root' path component.

Reported by: Thomas Gerbet <thomas.gerbet@enalean.com>
  • Loading branch information
cmpilato committed Jan 24, 2017
1 parent 8507aa4 commit 9dcfc7d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/viewvc.py
Expand Up @@ -980,7 +980,7 @@ def nav_path(request):
path_parts.append(part)
is_last = len(path_parts) == len(request.path_parts)

item = _item(name=part, href=None)
item = _item(name=request.server.escape(part), href=None)

if not is_last or (is_dir and request.view_func is not view_directory):
item.href = request.get_url(view_func=view_directory,
Expand Down

0 comments on commit 9dcfc7d

Please sign in to comment.