When the show_subdir_lastmod option is enabled, ViewVC shows for directories in the directory view the log message of the most recently modified child thereof, along with the child file's name and revision number. Unfortunately, the child file's name is not properly HTML-escaped.
Steps to reproduce the behavior
In a CVS repository, copy the ,v backing file for any non-dead versioned file into an otherwise empty subdirectory of the repository.
Ensure that show_subdir_lastmod is enabled in your viewvc.conf file (restarting any relevant servers).
In ViewVC, visit the parent directory of the newly created file. ViewVC will pass the name of your newly created file (minus the ,v bit) to the browser without escaping that name for safe HTML transport. In this specific example, a JavaScript alert dialog will appear with the message "1".
Expected behavior
ViewVC should relay the name of the last-modified file, properly escaped.
The text was updated successfully, but these errors were encountered:
Describe the bug
When the
show_subdir_lastmodoption is enabled, ViewVC shows for directories in the directory view the log message of the most recently modified child thereof, along with the child file's name and revision number. Unfortunately, the child file's name is not properly HTML-escaped.Steps to reproduce the behavior
,vbacking file for any non-dead versioned file into an otherwise empty subdirectory of the repository.show_subdir_lastmodis enabled in yourviewvc.conffile (restarting any relevant servers).,vbit) to the browser without escaping that name for safe HTML transport. In this specific example, a JavaScript alert dialog will appear with the message "1".Expected behavior
ViewVC should relay the name of the last-modified file, properly escaped.
The text was updated successfully, but these errors were encountered: