From mboxrd@z Thu Jan  1 00:00:00 1970
From: john at keeping.me.uk (John Keeping)
Date: Sun, 12 Jan 2014 19:45:17 +0000
Subject: [PATCH 3/3] ui-repolist: HTML-escape cgit_rooturl() response
In-Reply-To: <432e1f40c0d887db602ec9411ae16c45896a54f5.1389555852.git.john@keeping.me.uk>
References: <432e1f40c0d887db602ec9411ae16c45896a54f5.1389555852.git.john@keeping.me.uk>
Message-ID: <a1bd71909a8aec1c4419d04d307f455742f0cd2c.1389555852.git.john@keeping.me.uk>

This is for consistency with other callers.  The value returned from
cgit_rooturl is not guaranteed to be HTML-safe.

Signed-off-by: John Keeping <john at keeping.me.uk>
---
 ui-repolist.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ui-repolist.c b/ui-repolist.c
index d4ee279..e8d5eb6 100644
--- a/ui-repolist.c
+++ b/ui-repolist.c
@@ -106,7 +106,9 @@ static int is_in_url(struct cgit_repo *repo)
 
 static void print_sort_header(const char *title, const char *sort)
 {
-	htmlf("<th class='left'><a href='%s?s=%s", cgit_rooturl(), sort);
+	html("<th class='left'><a href='");
+	html_attr(cgit_rooturl());
+	htmlf("?s=%s", sort);
 	if (ctx.qry.search) {
 		html("&amp;q=");
 		html_url_arg(ctx.qry.search);
-- 
1.8.5.226.g0d60d77