Fossil

Check-in [6261c94b1e]
Login

Check-in [6261c94b1e]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Do not allow links with "../" substring or <tt>'<'</tt> character. The former enforces that the link maps into a repo-local page; the later enforces defense against injection of malicious HTML elements.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | rptview-submenu-paralink
Files: files | file ages | folders
SHA3-256: 6261c94b1e5059d681180cf37a2d82886b0446b72748896993c2643dd1e207f1
User & Date: george 2021-06-15 22:31:55.447
Context
2021-08-15
23:49
Merge from trunk ... (check-in: 59010c7c09 user: george tags: rptview-submenu-paralink)
2021-06-15
22:31
Do not allow links with "../" substring or <tt>'<'</tt> character. The former enforces that the link maps into a repo-local page; the later enforces defense against injection of malicious HTML elements. ... (check-in: 6261c94b1e user: george tags: rptview-submenu-paralink)
21:45
Merge from trunk ... (check-in: f445855917 user: george tags: rptview-submenu-paralink)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/style.c. 
391
392
393
394
395
396
397






398
399

400
401
402
403
404
405
406

        continue;
      }
      /* require the first path segment to be unfancy ASCII string */
      for( z = zV; z[0] && z[0] != '/' ;){
        if( fossil_isalnum(z[0]) || z[0]=='_' || z[0]=='-' ) z++;
        else break;
      }






      if( z[0] != 0 && z[0] != '/' )
        continue;

      assert( nSubmenu < count(aSubmenu) );
      if(fossil_islower(zV[0]) && z[0]=='/'){
        aSubmenu[nSubmenu].zLabel = mprintf( "%s",zV); /* memory leak?  */
      }else{
        /* prepend a label with an unobtrusive symbol that "sorts-last";
        ** this clearly distincts it from the built-in elements */
        static const char *mark = "✧";








>
>
>
>
>
>
|

>








391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413

        continue;
      }
      /* require the first path segment to be unfancy ASCII string */
      for( z = zV; z[0] && z[0] != '/' ;){
        if( fossil_isalnum(z[0]) || z[0]=='_' || z[0]=='-' ) z++;
        else break;
      }
      if( z[0] == '/' ){
        /* values may not contain "../" or "<"  */
        if( strstr(z,"../")!=NULL || strstr(z,"<")!=NULL ){
          continue;
        }
      }
      else if( z[0] != 0 )
        continue;

      assert( nSubmenu < count(aSubmenu) );
      if(fossil_islower(zV[0]) && z[0]=='/'){
        aSubmenu[nSubmenu].zLabel = mprintf( "%s",zV); /* memory leak?  */
      }else{
        /* prepend a label with an unobtrusive symbol that "sorts-last";
        ** this clearly distincts it from the built-in elements */
        static const char *mark = "✧";