Skip to content

Commit 9dcfc7d

Browse files
committed
Escape some raw path data before handing off to templates
* lib/viewvc.py (nav_path): Escape the 'name' property of navigation path components the same way we escape that of the 'root' path component. Reported by: Thomas Gerbet <thomas.gerbet@enalean.com>
1 parent 8507aa4 commit 9dcfc7d

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: lib/viewvc.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -980,7 +980,7 @@ def nav_path(request):
980980
path_parts.append(part)
981981
is_last = len(path_parts) == len(request.path_parts)
982982

983-
item = _item(name=part, href=None)
983+
item = _item(name=request.server.escape(part), href=None)
984984

985985
if not is_last or (is_dir and request.view_func is not view_directory):
986986
item.href = request.get_url(view_func=view_directory,

0 commit comments

Comments
 (0)