From 2ffefa0117565475a16a12fef01c8b6fb83824bd Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 18 Nov 2019 22:20:45 +0100
Subject: [PATCH] login/commits: escape html characters in commit messages

---
 widget/login/commits.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/widget/login/commits.php b/widget/login/commits.php
index b86b6c5..b9cae45 100644
--- a/widget/login/commits.php
+++ b/widget/login/commits.php
@@ -18,7 +18,8 @@ if ( $log = popen($gitcmd, 'r') ) {
 		list ($atime, $author, $message) = explode("\t", $line, 3);
 		list ($author) = explode(' ', $author); # first name only
 		printf('<li>%s <small class="date">%s â¢ %s</small></li>'."\n",
-			$message, $author, strftime('%F %H:%M', $atime)
+			htmlspecialchars($message),
+			htmlspecialchars($author), strftime('%F %H:%M', $atime)
 		);
 		$lines++;
 	}
-- 
2.30.0

