From 7667f2eb6bf60bb3818fabf9188ed61867ca5fee Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Thu, 20 Jun 2013 14:29:38 -0700
Subject: [PATCH] CGI.pm: Use escapeHTML on heading/section names

---
 Girocco/CGI.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Girocco/CGI.pm b/Girocco/CGI.pm
index b7baa27..17ada29 100644
--- a/Girocco/CGI.pm
+++ b/Girocco/CGI.pm
@@ -21,8 +21,10 @@ sub new {
 	my ($heading, $section, $extrahead) = @_;
 	my $gcgi = {};
 
-	$section ||= 'administration';
-	$extrahead ||= '';
+	$heading = CGI::escapeHTML($heading || '');
+	$section = CGI::escapeHTML($section || 'administration');
+	$extrahead = CGI::escapeHTML($extrahead || '');
+	my $name = CGI::escapeHTML($Girocco::Config::name || '');
 
 	$gcgi->{cgi} = CGI->new;
 
@@ -38,7 +40,7 @@ sub new {
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
 
 <head>
-<title>$Girocco::Config::name :: $heading</title>
+<title>$name :: $heading</title>
 <link rel="stylesheet" type="text/css" href="$Girocco::Config::gitwebfiles/gitweb.css"/>
 <link rel="stylesheet" type="text/css" href="$Girocco::Config::gitwebfiles/girocco.css"/>
 <link rel="shortcut icon" href="$Girocco::Config::gitwebfiles/git-favicon.png" type="image/png"/>
@@ -50,7 +52,7 @@ $extrahead</head>
 
 <div class="page_header">
 <a href="http://git.or.cz/" title="Git homepage"><img src="$Girocco::Config::gitwebfiles/git-logo.png" width="72" height="27" alt="git" style="float:right; border-width:0px;"/></a>
-<a href="$Girocco::Config::gitweburl">$Girocco::Config::name</a> / $section / $heading
+<a href="$Girocco::Config::gitweburl">$name</a> / $section / $heading
 </div>
 
 EOT
-- 
2.11.4.GIT