From 28b528c1abc50f69fca8e6d86844df791845c736 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 17 Aug 2014 23:43:22 +0200 Subject: [PATCH] Ensure proper escaping of /build/.../contents pages --- src/lib/Hydra/Controller/Build.pm | 8 ++++---- src/root/plain.tt | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/Hydra/Controller/Build.pm b/src/lib/Hydra/Controller/Build.pm index c5d9a1c7..e94f9d9c 100644 --- a/src/lib/Hydra/Controller/Build.pm +++ b/src/lib/Hydra/Controller/Build.pm @@ -294,9 +294,9 @@ sub contents : Chained('buildChain') PathPart Args(1) { $res = `cd '$path' && find . -print0 | xargs -0 ls -ld --`; error($c, "`ls -lR' error: $?") if $? != 0; - my $baseuri = $c->uri_for('/build', $c->stash->{build}->id, 'download', $product->productnr); - $baseuri .= "/".$product->name if $product->name; - $res =~ s/(\.\/)($relPathRE)/$1$2<\/a>/g; + #my $baseuri = $c->uri_for('/build', $c->stash->{build}->id, 'download', $product->productnr); + #$baseuri .= "/".$product->name if $product->name; + #$res =~ s/(\.\/)($relPathRE)/$1$2<\/a>/g; } elsif ($path =~ /\.rpm$/) { @@ -337,7 +337,7 @@ sub contents : Chained('buildChain') PathPart Args(1) { die unless $res; $c->stash->{title} = "Contents of ".$product->path; - $c->stash->{contents} = "
$res
"; + $c->stash->{contents} = decode("utf-8", $res); $c->stash->{template} = 'plain.tt'; } diff --git a/src/root/plain.tt b/src/root/plain.tt index 8ec217d0..0b2db510 100644 --- a/src/root/plain.tt +++ b/src/root/plain.tt @@ -5,6 +5,6 @@ [% jobset = build.jobset %] [% job = build.job %] -[% contents %] +
[% HTML.escape(contents) %]
[% END %]