Fix unescaped user input in tree/blob filenames
[gitphp.git] / templates / blob.tpl
blob:a/templates/blob.tpl -> blob:b/templates/blob.tpl
{* {*
* blob.tpl * blob.tpl
* gitphp: A PHP git repository browser * gitphp: A PHP git repository browser
* Component: Blob view template * Component: Blob view template
* *
* Copyright (C) 2009 Christopher Han <xiphux@gmail.com> * Copyright (C) 2009 Christopher Han <xiphux@gmail.com>
*} *}
{extends file='projectbase.tpl'} {extends file='projectbase.tpl'}
   
{block name=css} {block name=css}
{if $geshicss} {if $geshicss}
<style type="text/css"> <style type="text/css">
{$geshicss} {$geshicss}
</style> </style>
{/if} {/if}
{/block} {/block}
   
{block name=javascriptpaths} {block name=javascriptpaths}
{if file_exists('js/blob.min.js')} {if file_exists('js/blob.min.js')}
GitPHPJSPaths.blob = "blob.min"; GitPHPJSPaths.blob = "blob.min";
{/if} {/if}
{/block} {/block}
{block name=javascriptmodules} {block name=javascriptmodules}
GitPHPJSModules = ['blob']; GitPHPJSModules = ['blob'];
{/block} {/block}
   
{block name=main} {block name=main}
   
<div class="page_nav"> <div class="page_nav">
{include file='nav.tpl' treecommit=$commit} {include file='nav.tpl' treecommit=$commit}
<br /> <br />
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()}">{t}plain{/t}</a> | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}">{t}plain{/t}</a> |
{if ($commit->GetHash() != $head->GetHash()) && ($head->PathToHash($blob->GetPath()))} {if ($commit->GetHash() != $head->GetHash()) && ($head->PathToHash($blob->GetPath()))}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;hb=HEAD&amp;f={$blob->GetPath()}">{t}HEAD{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;hb=HEAD&amp;f={$blob->GetPath()|escape:'url'}">{t}HEAD{/t}</a>
{else} {else}
{t}HEAD{/t} {t}HEAD{/t}
{/if} {/if}
{if $blob->GetPath()} {if $blob->GetPath()}
| <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$blob->GetPath()}">{t}history{/t}</a> | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}">{t}history{/t}</a>
{if !$datatag} | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()}&amp;hb={$commit->GetHash()}" id="blameLink">{t}blame{/t}</a>{/if} {if !$datatag} | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}&amp;hb={$commit->GetHash()}" id="blameLink">{t}blame{/t}</a>{/if}
{/if} {/if}
<br /> <br />
</div> </div>
   
{include file='title.tpl' titlecommit=$commit} {include file='title.tpl' titlecommit=$commit}
   
{include file='path.tpl' pathobject=$blob target='blobplain'} {include file='path.tpl' pathobject=$blob target='blobplain'}
   
<div class="page_body"> <div class="page_body">
{if $datatag} {if $datatag}
{* We're trying to display an image *} {* We're trying to display an image *}
<div> <div>
<img src="data:{$mime};base64,{$data}" /> <img src="data:{$mime};base64,{$data}" />
</div> </div>
{elseif $geshi} {elseif $geshi}
{* We're using the highlighted output from geshi *} {* We're using the highlighted output from geshi *}
{$geshiout} {$geshiout}
{else} {else}
{* Just plain display *} {* Just plain display *}
<table class="code" id="blobData"> <table class="code" id="blobData">
<tbody> <tbody>
<tr class="li1"> <tr class="li1">
<td class="ln"> <td class="ln">
<pre class="de1"> <pre class="de1">
{foreach from=$bloblines item=line name=bloblines} {foreach from=$bloblines item=line name=bloblines}
<a id="l{$smarty.foreach.bloblines.iteration}" href="#l{$smarty.foreach.bloblines.iteration}" class="linenr">{$smarty.foreach.bloblines.iteration}</a> <a id="l{$smarty.foreach.bloblines.iteration}" href="#l{$smarty.foreach.bloblines.iteration}" class="linenr">{$smarty.foreach.bloblines.iteration}</a>
{/foreach} {/foreach}
</pre></td> </pre></td>
<td class="de1"> <td class="de1">
<pre class="de1"> <pre class="de1">
{foreach from=$bloblines item=line name=bloblines} {foreach from=$bloblines item=line name=bloblines}
{$line|escape} {$line|escape}
{/foreach} {/foreach}
</pre> </pre>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
{/if} {/if}
</div> </div>
   
{/block} {/block}
   
comments