Log Message: ----------- Partial revert of rev. 3.119.2.15: The variables $barequery and $query typically contain literal "&" characters separating multiple variable assignments; the cvsweb.cgi program itself constructs them that way near the beginning of the main program. So they must not be passed through htmlquote() or the URIs in question get broken. I will have to fix the XSS issues differently. Tags: ---- FreeBSD-cvsweb-2_0-branch Modified Files: -------------- cvsweb: cvsweb.cgi Revision Data ------------- Index: cvsweb.cgi =================================================================== RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v retrieving revision 3.119.2.20 retrieving revision 3.119.2.21 diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.20 -r3.119.2.21 --- cvsweb.cgi +++ cvsweb.cgi @@ -2608,11 +2608,8 @@ sub printLog($;$) { print " - "; print &link( 'annotate', - sprintf( - '%s/%s?annotate=%s%s', $scriptname, - urlencode($where), $_, - htmlquote($barequery) - ) + sprintf('%s/%s?annotate=%s%s', $scriptname, + urlencode($where), $_, $barequery) ); } @@ -2622,10 +2619,8 @@ sub printLog($;$) { print " - "; print &link( '[select for diffs]', - sprintf( - '%s?r1=%s%s', $scriptwhere, - $_, htmlquote($barequery) - ) + sprintf('%s?r1=%s%s', $scriptwhere, + $_, $barequery) ); } else { print " - <b>[selected]</b>"; @@ -3267,7 +3262,7 @@ sub clickablePath($$) { join ('', $scriptname, urlencode($wherepath), (!$last || $lastslash ? '/' : ''), - htmlquote($query), + $query, (!$last || $lastslash ? "#dirlist" : "") )); } else { # do not make a link to the current dir -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv