Skip to content

Commit 6991212

Browse files
danlucraftdanlucraft
committed
Escape HTML in diffs.
1 parent a3758b4 commit 6991212

File tree

3 files changed

+30
-14
lines changed

3 files changed

+30
-14
lines changed

lib/git.js

+7-1
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,13 @@ Git = {
5252
// zlib files contain a two byte header. (RFC 1950)
5353
stripZlibHeader: function(zlib) {
5454
return zlib.slice(2)
55-
}
55+
},
5656

57+
escapeHTML: function(s) {
58+
return s
59+
.replace(/&/g, '&')
60+
.replace(/</g, '&lt;')
61+
.replace(/>/g, '&gt;');
62+
}
5763
}
5864

lib/git.min.js

+15-7
Original file line numberDiff line numberDiff line change
@@ -3530,8 +3530,14 @@ Git = {
35303530
// zlib files contain a two byte header. (RFC 1950)
35313531
stripZlibHeader: function(zlib) {
35323532
return zlib.slice(2)
3533-
}
3533+
},
35343534

3535+
escapeHTML: function(s) {
3536+
return s
3537+
.replace(/&/g, '&amp;')
3538+
.replace(/</g, '&lt;')
3539+
.replace(/>/g, '&gt;');
3540+
}
35353541
}
35363542

35373543

@@ -4788,16 +4794,18 @@ Git.Diff = function(file1, file2, options) {
47884794
str.push(" <div class='diff'>")
47894795
var diff = this
47904796
_(this.info).each(function(chunk) {
4791-
// str.push("@ " + chunk.offset)
47924797
_(chunk.lines).each(function(line) {
4793-
var truncatedLine = line.line.slice(0, Git.Diff.MAX_LINE_CHARS)
4798+
var truncatedLine = Git.escapeHTML(line.line.slice(0, Git.Diff.MAX_LINE_CHARS))
47944799
if (line.type == "context") {
4795-
str.push("<pre class='context'>" + line.oldIndex.toString().rjust(2, " ") + " " + line.newIndex.toString().rjust(2, " ") + " " + truncatedLine + "</pre>")
4800+
var oldIx = line.oldIndex.toString().rjust(2, " ")
4801+
var newIx = line.newIndex.toString().rjust(2, " ")
4802+
str.push("<pre class='context'>" + oldIx + " " + newIx + " " + truncatedLine + "</pre>")
47964803
} else if (line.type == "added") {
4797-
str.push("<pre class='added'>" + " " + line.newIndex.toString().rjust(2, " ") + " +" + truncatedLine + "</pre>")
4804+
var newIx = line.newIndex.toString().rjust(2, " ")
4805+
str.push("<pre class='added'>" + " " + newIx + " +" + truncatedLine + "</pre>")
47984806
} else if (line.type == "removed") {
4799-
str.push("<pre class='removed'>" + line.oldIndex.toString().rjust(2, " ") + " -" + truncatedLine + "</pre>")
4800-
4807+
var oldIx = line.oldIndex.toString().rjust(2, " ")
4808+
str.push("<pre class='removed'>" + oldIx + " -" + truncatedLine + "</pre>")
48014809
}
48024810
})
48034811
})

lib/git/diff.js

+8-6
Original file line numberDiff line numberDiff line change
@@ -98,16 +98,18 @@ Git.Diff = function(file1, file2, options) {
9898
str.push(" <div class='diff'>")
9999
var diff = this
100100
_(this.info).each(function(chunk) {
101-
// str.push("@ " + chunk.offset)
102101
_(chunk.lines).each(function(line) {
103-
var truncatedLine = line.line.slice(0, Git.Diff.MAX_LINE_CHARS)
102+
var truncatedLine = Git.escapeHTML(line.line.slice(0, Git.Diff.MAX_LINE_CHARS))
104103
if (line.type == "context") {
105-
str.push("<pre class='context'>" + line.oldIndex.toString().rjust(2, " ") + " " + line.newIndex.toString().rjust(2, " ") + " " + truncatedLine + "</pre>")
104+
var oldIx = line.oldIndex.toString().rjust(2, " ")
105+
var newIx = line.newIndex.toString().rjust(2, " ")
106+
str.push("<pre class='context'>" + oldIx + " " + newIx + " " + truncatedLine + "</pre>")
106107
} else if (line.type == "added") {
107-
str.push("<pre class='added'>" + " " + line.newIndex.toString().rjust(2, " ") + " +" + truncatedLine + "</pre>")
108+
var newIx = line.newIndex.toString().rjust(2, " ")
109+
str.push("<pre class='added'>" + " " + newIx + " +" + truncatedLine + "</pre>")
108110
} else if (line.type == "removed") {
109-
str.push("<pre class='removed'>" + line.oldIndex.toString().rjust(2, " ") + " -" + truncatedLine + "</pre>")
110-
111+
var oldIx = line.oldIndex.toString().rjust(2, " ")
112+
str.push("<pre class='removed'>" + oldIx + " -" + truncatedLine + "</pre>")
111113
}
112114
})
113115
})

0 commit comments

Comments
 (0)