This seems to be the minimal fix: === modified file 'loggerhead/templatefunctions.py' --- loggerhead/templatefunctions.py 2011-03-02 14:07:21 +0000 +++ loggerhead/templatefunctions.py 2011-03-22 14:51:59 +0000 @@ -53,12 +53,12 @@ cgi.escape(filename), cgi.escape(filename)) else: return revision_link( - url, entry.revno, filename, '#' + filename) + url, entry.revno, filename, '#' + cgi.escape(filename, True)) else:
I'm still poking around at some other places that might expose paths: def file_link(filename): return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % ( - url(['/revision', entry.revno]), '#' + filename, cgi.escape(filename), - cgi.escape(entry.revno), cgi.escape(filename)) + url(['/revision', entry.revno]), '#' + cgi.escape(filename), + cgi.escape(filename), cgi.escape(entry.revno), cgi.escape(filename)) return _pt('revisionfilechanges').expand( entry=entry, file_changes=file_changes, file_link=file_link, **templatefunctions)
@@ -128,7 +128,7 @@ @templatefunc def revision_link(url, revno, path, frag=''): return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % ( - url(['/revision', revno, path]), frag, cgi.escape(path), + url(['/revision', revno, cgi.escape(path)]), frag, cgi.escape(path), cgi.escape(revno), cgi.escape(path))
This seems to be the minimal fix: templatefunctio ns.py' templatefunctio ns.py 2011-03-02 14:07:21 +0000 templatefunctio ns.py 2011-03-22 14:51:59 +0000
cgi.escape( filename) , cgi.escape( filename) )
return revision_link( filename, True))
=== modified file 'loggerhead/
--- loggerhead/
+++ loggerhead/
@@ -53,12 +53,12 @@
else:
- url, entry.revno, filename, '#' + filename)
+ url, entry.revno, filename, '#' + cgi.escape(
else:
I'm still poking around at some other places that might expose paths: filename) : filename) , entry.revno) , cgi.escape( filename) ) filename) , filename) , cgi.escape( entry.revno) , cgi.escape( filename) ) lechanges' ).expand(
entry= entry, file_changes= file_changes, file_link= file_link, **templatefunct ions)
def file_link(
return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % (
- url(['/revision', entry.revno]), '#' + filename, cgi.escape(
- cgi.escape(
+ url(['/revision', entry.revno]), '#' + cgi.escape(
+ cgi.escape(
return _pt('revisionfi
@@ -128,7 +128,7 @@
cgi.escape( revno), cgi.escape(path))
@templatefunc
def revision_link(url, revno, path, frag=''):
return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>' % (
- url(['/revision', revno, path]), frag, cgi.escape(path),
+ url(['/revision', revno, cgi.escape(path)]), frag, cgi.escape(path),