Author: Lars Hjemli <hjemli@gmail.com>
ui-shared: use html_url_path() to get properly escaped url in form action When a repo uses an url with e.g. '#' or '?' characters this needs to be properly escaped when used as action in a form tag. Signed-off-by: Lars Hjemli <hjemli@gmail.com>
ui-shared.c | 4 ++--
diff --git a/ui-shared.c b/ui-shared.c index f858ab69ee7556776cb5d0d44eddf74f76ecd3fd..1e12529411133d15b0949c01f310a4318048a522 100644 --- a/ui-shared.c +++ b/ui-shared.c @@ -649,8 +649,8 @@ NULL); html("</td><td class='form'>"); html("<form class='right' method='get' action='"); if (ctx->cfg.virtual_root) - html_attr(cgit_fileurl(ctx->qry.repo, "log", - ctx->qry.path, NULL)); + html_url_path(cgit_fileurl(ctx->qry.repo, "log", + ctx->qry.path, NULL)); html("'>\n"); add_hidden_formfields(1, 0, "log"); html("<select name='qt'>\n");