[PATCH 2/2] ui-shared: emit root-desc-html and repo.desc-html after their text counterparts

John Keeping john at keeping.me.uk
Sat Jun 23 12:53:42 CEST 2018

On Sat, Jun 23, 2018 at 06:33:38PM +0800, Andy Green wrote:
> On 06/23/2018 06:28 PM, John Keeping wrote:
> > On Thu, Jun 21, 2018 at 02:46:47PM +0800, Andy Green wrote:
> >> Where root-desc and repo.desc are used in the header region, also
> >> emit their html counterparts afterwards if they are defined.
> >>
> >> Where root-desc are repo.desc are used outside the header,
> >> eg in the repo list, leave it as it is without adding any
> >> related html.
> >>
> >> Signed-off-by: Andy Green <andy at warmcat.com>
> >> ---
> > 
> > I think this should be squashed with the previous patch since it makes
> > it easier to see what's going on.
> > 
> > When I read your initial email on this, I thought we could introduce a
> > new HTML version of the description and use that *instead of* the plain
> > text one if the HTML variant is available.
> I actually first implemented just rendering what we have as raw html...

I don't think we can do that without introducing an HTML injection risk
in configurations that are currently safe.

> > Having looked at the current implementation of repo->desc, I think
> > that's desirable because the reason we don't have a null-check for that
> > in the context below is that it will be set to "[no description]" if no
> > other value is provided.  If a user has set repo->desc_html, I don't
> > think we want to print "[no description]" before showing the HTML
> > description!
> I take the point, but it turned out there are two separate kinds of 
> description here... the text-only, existing one that is used, eg, in the 
> list of repos.  And a "functional" HTML part that has buttons or 
> whatever specific to the repo and used on the header part.
> With just treating them as one, the repo list gained meaningless HTML 
> buttons or pictures or whatever decoration was put there.  The repo list 
> just wants a short textual description that already exists.  So it 
> arrived at this, leave that be, and add an optional HTML decoration part.

OK, that makes sense.  Maybe we need the following check, but it is
quite ugly!

	if (ctx.repo->desc &&
	    (ctx.repo->desc != cgit_default_repo_desc ||

that is, show the plain text description only if it has been customised
or if there is no HTML description.

More information about the CGit mailing list