ui-diff.c: avoid html injection

When path-filtering was used in commit-view, the path filter was
included without proper html escaping. This patch closes the hole.

Signed-off-by: Lukasz Janyst <ljanyst@cern.ch>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>

diff --git a/ui-diff.c b/ui-diff.c
index a53425dbf069fee2de38f621528c2e6753beba51..a7bc667f799cfd0e167508e90d0f5273d3c90f42 100644 (file)
--- a/ui-diff.c
+++ b/ui-diff.c
@@ -172,8 +172,11 @@ void cgit_print_diffstat(const unsigned char *old_sha1,
        html("<div class='diffstat-header'>");
        cgit_diff_link("Diffstat", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
                       ctx.qry.sha2, NULL, 0);
-       if (prefix)
-               htmlf(" (limited to '%s')", prefix);
+       if (prefix) {
+               html(" (limited to '");
+               html_txt(prefix);
+               html("')");
+       }
        html(" (");
        ctx.qry.context = (save_context > 0 ? save_context : 3) << 1;
        cgit_self_link("more", NULL, NULL, &ctx);