Make sure to html escape commit messages
Make sure to html escape commit messages

--- a/templates/commit.tpl
+++ b/templates/commit.tpl
@@ -63,7 +63,7 @@
  </div>
  <div class="page_body">
    {foreach from=$commit->GetComment() item=line}
-     {$line}<br />
+     {$line|escape}<br />
    {/foreach}
  </div>
  <div class="list_head">

--- a/templates/commitdiff.tpl
+++ b/templates/commitdiff.tpl
@@ -21,7 +21,7 @@
  
  <div class="page_body">
    {foreach from=$commit->GetComment() item=line}
-     {$line}<br />
+     {$line|escape}<br />
    {/foreach}
    <br />
    {* Diff each file changed *}

--- a/templates/log.tpl
+++ b/templates/log.tpl
@@ -68,7 +68,7 @@
    </div>
    <div class="log_body">
      {foreach from=$rev->GetComment() item=line}
-       {$line}<br />
+       {$line|escape}<br />
      {/foreach}
      {if count($rev->GetComment()) > 0}
        <br />

--- a/templates/shortloglist.tpl
+++ b/templates/shortloglist.tpl
@@ -15,7 +15,7 @@
        <td title="{if $rev->GetAge() > 60*60*24*7*2}{$rev->GetAge()|agestring}{else}{$rev->GetCommitterEpoch()|date_format:"%Y-%m-%d"}{/if}"><em>{if $rev->GetAge() > 60*60*24*7*2}{$rev->GetCommitterEpoch()|date_format:"%Y-%m-%d"}{else}{$rev->GetAge()|agestring}{/if}</em></td>
        <td><em>{$rev->GetAuthorName()}</em></td>
        <td>
-         <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=commit&amp;h={$rev->GetHash()}" class="list commitTip" {if strlen($rev->GetTitle()) > 50}title="{$rev->GetTitle()|htmlspecialchars}"{/if}><strong>{$rev->GetTitle(50)}</strong></a>
+         <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=commit&amp;h={$rev->GetHash()}" class="list commitTip" {if strlen($rev->GetTitle()) > 50}title="{$rev->GetTitle()|htmlspecialchars}"{/if}><strong>{$rev->GetTitle(50)|escape}</strong></a>
 	 {include file='refbadges.tpl' commit=$rev}
        </td>
        <td class="link">

comments