Fossil

Check-in [db482f16]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
SHA3-256:db482f1675d5d084ab7f637582256ab7eda3d625e77f3a3ff8080c19142e208d
Date: 2017-05-12 16:22:54
User: drh
Comment:Fix an XSS issue with the /help webpage.
Tags And Properties
Context
2017-05-12
17:22
[8e27a5a0] Change a few %s format letters into %h. (user: drh, tags: trunk)
16:22
[db482f16] Fix an XSS issue with the /help webpage. (user: drh, tags: trunk)
15:11
[12ab581f] In the "fossil info -v" command, sort the access-url and check-out fields by date, not by name. (user: drh, tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/dispatch.c.

241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266

    style_header("Help: %s", zCmd);

    style_submenu_element("Command-List", "%s/help", g.zTop);
    if( *zCmd=='/' ){
      /* Some of the webpages require query parameters in order to work.
      ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */
      @ <h1>The "%s(zCmd)" page:</h1>
    }else{
      @ <h1>The "%s(zCmd)" command:</h1>
    }
    rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd);
    if( rc==1 ){
      @ unknown command: %s(zCmd)
    }else if( rc==2 ){
      @ ambiguous command prefix: %s(zCmd)
    }else{
      if( pCmd->zHelp[0]==0 ){
        @ no help available for the %s(pCmd->zName) command
      }else{
        @ <blockquote>
        help_to_html(pCmd->zHelp, cgi_output_blob());
        @ </blockquote>
      }
    }
  }else{







|

|



|

|


|







241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266

    style_header("Help: %s", zCmd);

    style_submenu_element("Command-List", "%s/help", g.zTop);
    if( *zCmd=='/' ){
      /* Some of the webpages require query parameters in order to work.
      ** @ <h1>The "<a href='%R%s(zCmd)'>%s(zCmd)</a>" page:</h1> */
      @ <h1>The "%h(zCmd)" page:</h1>
    }else{
      @ <h1>The "%h(zCmd)" command:</h1>
    }
    rc = dispatch_name_search(zCmd, CMDFLAG_ANY, &pCmd);
    if( rc==1 ){
      @ unknown command: %h(zCmd)
    }else if( rc==2 ){
      @ ambiguous command prefix: %h(zCmd)
    }else{
      if( pCmd->zHelp[0]==0 ){
        @ no help available for the %h(pCmd->zName) command
      }else{
        @ <blockquote>
        help_to_html(pCmd->zHelp, cgi_output_blob());
        @ </blockquote>
      }
    }
  }else{