gitweb: protect blob and diff output lines from controls.

This revealed that the output from blame and tag was not chomped
properly and was relying on HTML output not noticing that extra
whitespace that resulted from the newline, which was also fixed.

Signed-off-by: Junio C Hamano <junkio@cox.net>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 634975b3c85ca421f7df866c5906eed22293af6a..f4d1ef007b56d5a069146f5997d956a4848fec10 100755 (executable)
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -576,11 +576,10 @@ sub esc_html ($;%) {
 
        $str = to_utf8($str);
        $str = escapeHTML($str);
-       $str =~ s/\014/^L/g; # escape FORM FEED (FF) character (e.g. in COPYING file)
-       $str =~ s/\033/^[/g; # "escape" ESCAPE (\e) character (e.g. commit 20a3847d8a5032ce41f90dcc68abfb36e6fee9b1)
        if ($opts{'-nbsp'}) {
                $str =~ s/ / /g;
        }
+       $str =~ s|([[:cntrl:]])|(($1 ne "\t") ? quot_cec($1) : $1)|eg;
        return $str;
 }
 
@@ -1879,17 +1878,17 @@ sub git_print_page_path {
                        $fullname .= ($fullname ? '/' : '') . $dir;
                        print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
                                                     hash_base=>$hb),
-                                     -title => $fullname}, esc_path($dir));
+                                     -title => esc_html($fullname)}, esc_path($dir));
                        print " / ";
                }
                if (defined $type && $type eq 'blob') {
                        print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_path($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                } elsif (defined $type && $type eq 'tree') {
                        print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_path($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                        print " / ";
                } else {
                        print esc_path($basename);
@@ -2851,6 +2850,7 @@ sub git_tag {
        print "<div class=\"page_body\">";
        my $comment = $tag{'comment'};
        foreach my $line (@$comment) {
+               chomp($line);
                print esc_html($line) . "<br/>\n";
        }
        print "</div>\n";
@@ -2920,6 +2920,7 @@ HTML
                        }
                }
                my $data = $_;
+               chomp($data);
                my $rev = substr($full_rev, 0, 8);
                my $author = $meta->{'author'};
                my %date = parse_date($meta->{'author-time'},