the repository which powers this website
ui-repolist: HTML-escape cgit_rooturl() response
This is for consistency with other callers. The value returned from
cgit_rooturl is not guaranteed to be HTML-safe.
Signed-off-by: John Keeping <[email protected]>
| -rw-r--r-- | ui-repolist.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ui-repolist.c b/ui-repolist.c index f622a013..7b1fec30 100644 --- a/ui-repolist.c +++ b/ui-repolist.c @@ -106,7 +106,9 @@ static int is_in_url(struct cgit_repo *repo) static void print_sort_header(const char *title, const char *sort) { - htmlf("<th class='left'><a href='%s?s=%s", cgit_rooturl(), sort); + html("<th class='left'><a href='"); + html_attr(cgit_rooturl()); + htmlf("?s=%s", sort); if (ctx.qry.search) { html("&q="); html_url_arg(ctx.qry.search); |