gitweb: protect blob and diff output lines from controls.
[gitweb.git] / gitweb / gitweb.perl
index 6035980c3044beffa658155233d846137d1574a5..f4d1ef007b56d5a069146f5997d956a4848fec10 100755 (executable)
        'pathinfo' => {
                'override' => 0,
                'default' => [0]},
+
+       # Make gitweb consider projects in project root subdirectories
+       # to be forks of existing projects. Given project $projname.git,
+       # projects matching $projname/*.git will not be shown in the main
+       # projects list, instead a '+' mark will be added to $projname
+       # there and a 'forks' view will be enabled for the project, listing
+       # all the forks. This feature is supported only if project list
+       # is taken from a directory, not file.
+
+       # To enable system wide have in $GITWEB_CONFIG
+       # $feature{'forks'}{'default'} = [1];
+       # Project specific override is not supported.
+       'forks' => {
+               'override' => 0,
+               'default' => [0]},
 );
 
 sub gitweb_check_feature {
@@ -405,6 +420,7 @@ sub evaluate_path_info {
        "commitdiff" => \&git_commitdiff,
        "commitdiff_plain" => \&git_commitdiff_plain,
        "commit" => \&git_commit,
+       "forks" => \&git_forks,
        "heads" => \&git_heads,
        "history" => \&git_history,
        "log" => \&git_log,
@@ -554,21 +570,87 @@ sub esc_url {
 }
 
 # replace invalid utf8 character with SUBSTITUTION sequence
-sub esc_html {
+sub esc_html ($;%) {
        my $str = shift;
+       my %opts = @_;
+
        $str = to_utf8($str);
        $str = escapeHTML($str);
-       $str =~ s/\014/^L/g; # escape FORM FEED (FF) character (e.g. in COPYING file)
-       $str =~ s/\033/^[/g; # "escape" ESCAPE (\e) character (e.g. commit 20a3847d8a5032ce41f90dcc68abfb36e6fee9b1)
+       if ($opts{'-nbsp'}) {
+               $str =~ s/ / /g;
+       }
+       $str =~ s|([[:cntrl:]])|(($1 ne "\t") ? quot_cec($1) : $1)|eg;
+       return $str;
+}
+
+# Make control characterss "printable".
+sub quot_cec {
+       my $cntrl = shift;
+       my %es = ( # character escape codes, aka escape sequences
+                  "\t" => '\t',   # tab            (HT)
+                  "\n" => '\n',   # line feed      (LF)
+                  "\r" => '\r',   # carrige return (CR)
+                  "\f" => '\f',   # form feed      (FF)
+                  "\b" => '\b',   # backspace      (BS)
+                  "\a" => '\a',   # alarm (bell)   (BEL)
+                  "\e" => '\e',   # escape         (ESC)
+                  "\013" => '\v', # vertical tab   (VT)
+                  "\000" => '\0', # nul character  (NUL)
+                  );
+       my $chr = ( (exists $es{$cntrl})
+                   ? $es{$cntrl}
+                   : sprintf('\%03o', ord($cntrl)) );
+       return "<span class=\"cntrl\">$chr</span>";
+}
+
+# Alternatively use unicode control pictures codepoints.
+sub quot_upr {
+       my $cntrl = shift;
+       my $chr = sprintf('&#%04d;', 0x2400+ord($cntrl));
+       return "<span class=\"cntrl\">$chr</span>";
+}
+
+# quote control characters and escape filename to HTML
+sub esc_path {
+       my $str = shift;
+
+       $str = esc_html($str);
+       $str =~ s|([[:cntrl:]])|quot_cec($1)|eg;
        return $str;
 }
 
 # git may return quoted and escaped filenames
 sub unquote {
        my $str = shift;
+
+       sub unq {
+               my $seq = shift;
+               my %es = ( # character escape codes, aka escape sequences
+                       't' => "\t",   # tab            (HT, TAB)
+                       'n' => "\n",   # newline        (NL)
+                       'r' => "\r",   # return         (CR)
+                       'f' => "\f",   # form feed      (FF)
+                       'b' => "\b",   # backspace      (BS)
+                       'a' => "\a",   # alarm (bell)   (BEL)
+                       'e' => "\e",   # escape         (ESC)
+                       'v' => "\013", # vertical tab   (VT)
+               );
+
+               if ($seq =~ m/^[0-7]{1,3}$/) {
+                       # octal char sequence
+                       return chr(oct($seq));
+               } elsif (exists $es{$seq}) {
+                       # C escape sequence, aka character escape code
+                       return $es{$seq}
+               }
+               # quoted ordinary character
+               return $seq;
+       }
+
        if ($str =~ m/^"(.*)"$/) {
+               # needs unquoting
                $str = $1;
-               $str =~ s/\\([0-7]{1,3})/chr(oct($1))/eg;
+               $str =~ s/\\([^0-7]|[0-7]{1,3})/unq($1)/eg;
        }
        return $str;
 }
@@ -702,6 +784,32 @@ sub file_type {
        }
 }
 
+# convert file mode in octal to file type description string
+sub file_type_long {
+       my $mode = shift;
+
+       if ($mode !~ m/^[0-7]+$/) {
+               return $mode;
+       } else {
+               $mode = oct $mode;
+       }
+
+       if (S_ISDIR($mode & S_IFMT)) {
+               return "directory";
+       } elsif (S_ISLNK($mode)) {
+               return "symlink";
+       } elsif (S_ISREG($mode)) {
+               if ($mode & S_IXUSR) {
+                       return "executable";
+               } else {
+                       return "file";
+               };
+       } else {
+               return "unknown";
+       }
+}
+
+
 ## ----------------------------------------------------------------------
 ## functions returning short HTML fragments, or transforming HTML fragments
 ## which don't beling to other sections
@@ -784,7 +892,7 @@ sub format_diff_line {
                $diff_class = " incomplete";
        }
        $line = untabify($line);
-       return "<div class=\"diff$diff_class\">" . esc_html($line) . "</div>\n";
+       return "<div class=\"diff$diff_class\">" . esc_html($line, -nbsp=>1) . "</div>\n";
 }
 
 ## ----------------------------------------------------------------------
@@ -860,7 +968,7 @@ sub git_get_hash_by_path {
        close $fd or return undef;
 
        #'100644 blob 0fa3f3a66fb6a137f6ec2c19351ed4d807070ffa  panic.c'
-       $line =~ m/^([0-9]+) (.+) ([0-9a-fA-F]{40})\t(.+)$/;
+       $line =~ m/^([0-9]+) (.+) ([0-9a-fA-F]{40})\t/;
        if (defined $type && $type ne $2) {
                # type doesn't match
                return undef;
@@ -892,13 +1000,21 @@ sub git_get_project_url_list {
 }
 
 sub git_get_projects_list {
+       my ($filter) = @_;
        my @list;
 
+       $filter ||= '';
+       $filter =~ s/\.git$//;
+
        if (-d $projects_list) {
                # search in directory
-               my $dir = $projects_list;
+               my $dir = $projects_list . ($filter ? "/$filter" : '');
+               # remove the trailing "/"
+               $dir =~ s!/+$!!;
                my $pfxlen = length("$dir");
 
+               my ($check_forks) = gitweb_check_feature('forks');
+
                File::Find::find({
                        follow_fast => 1, # follow symbolic links
                        dangling_symlinks => 0, # ignore dangling symlinks, silently
@@ -910,8 +1026,10 @@ sub git_get_projects_list {
 
                                my $subdir = substr($File::Find::name, $pfxlen + 1);
                                # we check related file in $projectroot
-                               if (check_export_ok("$projectroot/$subdir")) {
-                                       push @list, { path => $subdir };
+                               if ($check_forks and $subdir =~ m#/.#) {
+                                       $File::Find::prune = 1;
+                               } elsif (check_export_ok("$projectroot/$filter/$subdir")) {
+                                       push @list, { path => ($filter ? "$filter/" : '') . $subdir };
                                        $File::Find::prune = 1;
                                }
                        },
@@ -931,6 +1049,17 @@ sub git_get_projects_list {
                        if (!defined $path) {
                                next;
                        }
+                       if ($filter ne '') {
+                               # looking for forks;
+                               my $pfx = substr($path, 0, length($filter));
+                               if ($pfx ne $filter) {
+                                       next;
+                               }
+                               my $sfx = substr($path, length($filter));
+                               if ($sfx !~ /^\/.*\.git$/) {
+                                       next;
+                               }
+                       }
                        if (check_export_ok("$projectroot/$path")) {
                                my $pr = {
                                        path => $path,
@@ -1277,7 +1406,7 @@ ($;%)
        my %res;
 
        #'100644 blob 0fa3f3a66fb6a137f6ec2c19351ed4d807070ffa  panic.c'
-       $line =~ m/^([0-9]+) (.+) ([0-9a-fA-F]{40})\t(.+)$/;
+       $line =~ m/^([0-9]+) (.+) ([0-9a-fA-F]{40})\t(.+)$/s;
 
        $res{'mode'} = $1;
        $res{'type'} = $2;
@@ -1294,47 +1423,88 @@ ($;%)
 ## ......................................................................
 ## parse to array of hashes functions
 
-sub git_get_refs_list {
-       my $type = shift || "";
-       my %refs;
-       my @reflist;
+sub git_get_heads_list {
+       my $limit = shift;
+       my @headslist;
 
-       my @refs;
-       open my $fd, "-|", $GIT, "peek-remote", "$projectroot/$project/"
+       open my $fd, '-|', git_cmd(), 'for-each-ref',
+               ($limit ? '--count='.($limit+1) : ()), '--sort=-committerdate',
+               '--format=%(objectname) %(refname) %(subject)%00%(committer)',
+               'refs/heads'
                or return;
        while (my $line = <$fd>) {
-               chomp $line;
-               if ($line =~ m/^([0-9a-fA-F]{40})\trefs\/($type\/?([^\^]+))(\^\{\})?$/) {
-                       if (defined $refs{$1}) {
-                               push @{$refs{$1}}, $2;
-                       } else {
-                               $refs{$1} = [ $2 ];
-                       }
+               my %ref_item;
 
-                       if (! $4) { # unpeeled, direct reference
-                               push @refs, { hash => $1, name => $3 }; # without type
-                       } elsif ($3 eq $refs[-1]{'name'}) {
-                               # most likely a tag is followed by its peeled
-                               # (deref) one, and when that happens we know the
-                               # previous one was of type 'tag'.
-                               $refs[-1]{'type'} = "tag";
-                       }
+               chomp $line;
+               my ($refinfo, $committerinfo) = split(/\0/, $line);
+               my ($hash, $name, $title) = split(' ', $refinfo, 3);
+               my ($committer, $epoch, $tz) =
+                       ($committerinfo =~ /^(.*) ([0-9]+) (.*)$/);
+               $name =~ s!^refs/heads/!!;
+
+               $ref_item{'name'}  = $name;
+               $ref_item{'id'}    = $hash;
+               $ref_item{'title'} = $title || '(no commit message)';
+               $ref_item{'epoch'} = $epoch;
+               if ($epoch) {
+                       $ref_item{'age'} = age_string(time - $ref_item{'epoch'});
+               } else {
+                       $ref_item{'age'} = "unknown";
                }
+
+               push @headslist, \%ref_item;
        }
        close $fd;
 
-       foreach my $ref (@refs) {
-               my $ref_file = $ref->{'name'};
-               my $ref_id   = $ref->{'hash'};
+       return wantarray ? @headslist : \@headslist;
+}
+
+sub git_get_tags_list {
+       my $limit = shift;
+       my @tagslist;
+
+       open my $fd, '-|', git_cmd(), 'for-each-ref',
+               ($limit ? '--count='.($limit+1) : ()), '--sort=-creatordate',
+               '--format=%(objectname) %(objecttype) %(refname) '.
+               '%(*objectname) %(*objecttype) %(subject)%00%(creator)',
+               'refs/tags'
+               or return;
+       while (my $line = <$fd>) {
+               my %ref_item;
+
+               chomp $line;
+               my ($refinfo, $creatorinfo) = split(/\0/, $line);
+               my ($id, $type, $name, $refid, $reftype, $title) = split(' ', $refinfo, 6);
+               my ($creator, $epoch, $tz) =
+                       ($creatorinfo =~ /^(.*) ([0-9]+) (.*)$/);
+               $name =~ s!^refs/tags/!!;
+
+               $ref_item{'type'} = $type;
+               $ref_item{'id'} = $id;
+               $ref_item{'name'} = $name;
+               if ($type eq "tag") {
+                       $ref_item{'subject'} = $title;
+                       $ref_item{'reftype'} = $reftype;
+                       $ref_item{'refid'}   = $refid;
+               } else {
+                       $ref_item{'reftype'} = $type;
+                       $ref_item{'refid'}   = $id;
+               }
 
-               my $type = $ref->{'type'} || git_get_type($ref_id) || next;
-               my %ref_item = parse_ref($ref_file, $ref_id, $type);
+               if ($type eq "tag" || $type eq "commit") {
+                       $ref_item{'epoch'} = $epoch;
+                       if ($epoch) {
+                               $ref_item{'age'} = age_string(time - $ref_item{'epoch'});
+                       } else {
+                               $ref_item{'age'} = "unknown";
+                       }
+               }
 
-               push @reflist, \%ref_item;
+               push @tagslist, \%ref_item;
        }
-       # sort refs by age
-       @reflist = sort {$b->{'epoch'} <=> $a->{'epoch'}} @reflist;
-       return (\@reflist, \%refs);
+       close $fd;
+
+       return wantarray ? @tagslist : \@tagslist;
 }
 
 ## ----------------------------------------------------------------------
@@ -1437,7 +1607,7 @@ sub git_header_html {
                if (defined $action) {
                        $title .= "/$action";
                        if (defined $file_name) {
-                               $title .= " - " . esc_html($file_name);
+                               $title .= " - " . esc_path($file_name);
                                if ($action eq "tree" && $file_name !~ m|/$|) {
                                        $title .= "/";
                                }
@@ -1708,20 +1878,20 @@ sub git_print_page_path {
                        $fullname .= ($fullname ? '/' : '') . $dir;
                        print $cgi->a({-href => href(action=>"tree", file_name=>$fullname,
                                                     hash_base=>$hb),
-                                     -title => $fullname}, esc_html($dir));
+                                     -title => esc_html($fullname)}, esc_path($dir));
                        print " / ";
                }
                if (defined $type && $type eq 'blob') {
                        print $cgi->a({-href => href(action=>"blob_plain", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_html($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                } elsif (defined $type && $type eq 'tree') {
                        print $cgi->a({-href => href(action=>"tree", file_name=>$file_name,
                                                     hash_base=>$hb),
-                                     -title => $name}, esc_html($basename));
+                                     -title => esc_html($name)}, esc_path($basename));
                        print " / ";
                } else {
-                       print esc_html($basename);
+                       print esc_path($basename);
                }
        }
        print "<br/></div>\n";
@@ -1793,7 +1963,7 @@ sub git_print_tree_entry {
                print "<td class=\"list\">" .
                        $cgi->a({-href => href(action=>"blob", hash=>$t->{'hash'},
                                               file_name=>"$basedir$t->{'name'}", %base_key),
-                               -class => "list"}, esc_html($t->{'name'})) . "</td>\n";
+                               -class => "list"}, esc_path($t->{'name'})) . "</td>\n";
                print "<td class=\"link\">";
                print $cgi->a({-href => href(action=>"blob", hash=>$t->{'hash'},
                                             file_name=>"$basedir$t->{'name'}", %base_key)},
@@ -1820,7 +1990,7 @@ sub git_print_tree_entry {
                print "<td class=\"list\">";
                print $cgi->a({-href => href(action=>"tree", hash=>$t->{'hash'},
                                             file_name=>"$basedir$t->{'name'}", %base_key)},
-                             esc_html($t->{'name'}));
+                             esc_path($t->{'name'}));
                print "</td>\n";
                print "<td class=\"link\">";
                print $cgi->a({-href => href(action=>"tree", hash=>$t->{'hash'},
@@ -1841,7 +2011,7 @@ sub git_print_tree_entry {
 
 sub git_difftree_body {
        my ($difftree, $hash, $parent) = @_;
-
+       my ($have_blame) = gitweb_check_feature('blame');
        print "<div class=\"list_head\">\n";
        if ($#{$difftree} > 10) {
                print(($#{$difftree} + 1) . " files changed:\n");
@@ -1885,7 +2055,7 @@ sub git_difftree_body {
                        print "<td>";
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'to_id'},
                                                     hash_base=>$hash, file_name=>$diff{'file'}),
-                                     -class => "list"}, esc_html($diff{'file'}));
+                                     -class => "list"}, esc_path($diff{'file'}));
                        print "</td>\n";
                        print "<td>$mode_chng</td>\n";
                        print "<td class=\"link\">";
@@ -1901,7 +2071,7 @@ sub git_difftree_body {
                        print "<td>";
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'from_id'},
                                                     hash_base=>$parent, file_name=>$diff{'file'}),
-                                      -class => "list"}, esc_html($diff{'file'}));
+                                      -class => "list"}, esc_path($diff{'file'}));
                        print "</td>\n";
                        print "<td>$mode_chng</td>\n";
                        print "<td class=\"link\">";
@@ -1914,9 +2084,13 @@ sub git_difftree_body {
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'from_id'},
                                                     hash_base=>$parent, file_name=>$diff{'file'})},
                                      "blob") . " | ";
-                       print $cgi->a({-href => href(action=>"blame", hash_base=>$parent,
-                                                    file_name=>$diff{'file'})},
-                                     "blame") . " | ";
+                       if ($have_blame) {
+                               print $cgi->a({-href =>
+                                                  href(action=>"blame",
+                                                       hash_base=>$parent,
+                                                       file_name=>$diff{'file'})},
+                                             "blame") . " | ";
+                       }
                        print $cgi->a({-href => href(action=>"history", hash_base=>$parent,
                                                     file_name=>$diff{'file'})},
                                      "history");
@@ -1941,30 +2115,33 @@ sub git_difftree_body {
                        print "<td>";
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'to_id'},
                                                     hash_base=>$hash, file_name=>$diff{'file'}),
-                                     -class => "list"}, esc_html($diff{'file'}));
+                                     -class => "list"}, esc_path($diff{'file'}));
                        print "</td>\n";
                        print "<td>$mode_chnge</td>\n";
                        print "<td class=\"link\">";
-                       if ($diff{'to_id'} ne $diff{'from_id'}) { # modified
-                               if ($action eq 'commitdiff') {
-                                       # link to patch
-                                       $patchno++;
-                                       print $cgi->a({-href => "#patch$patchno"}, "patch");
-                               } else {
-                                       print $cgi->a({-href => href(action=>"blobdiff",
-                                                                    hash=>$diff{'to_id'}, hash_parent=>$diff{'from_id'},
-                                                                    hash_base=>$hash, hash_parent_base=>$parent,
-                                                                    file_name=>$diff{'file'})},
-                                                     "diff");
-                               }
-                               print " | ";
+                       if ($action eq 'commitdiff') {
+                               # link to patch
+                               $patchno++;
+                               print $cgi->a({-href => "#patch$patchno"}, "patch") .
+                                     " | ";
+                       } elsif ($diff{'to_id'} ne $diff{'from_id'}) {
+                               # "commit" view and modified file (not onlu mode changed)
+                               print $cgi->a({-href => href(action=>"blobdiff",
+                                                            hash=>$diff{'to_id'}, hash_parent=>$diff{'from_id'},
+                                                            hash_base=>$hash, hash_parent_base=>$parent,
+                                                            file_name=>$diff{'file'})},
+                                             "diff") .
+                                     " | ";
                        }
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'to_id'},
                                                     hash_base=>$hash, file_name=>$diff{'file'})},
                                      "blob") . " | ";
-                       print $cgi->a({-href => href(action=>"blame", hash_base=>$hash,
-                                                    file_name=>$diff{'file'})},
-                                     "blame") . " | ";
+                       if ($have_blame) {
+                               print $cgi->a({-href => href(action=>"blame",
+                                                            hash_base=>$hash,
+                                                            file_name=>$diff{'file'})},
+                                             "blame") . " | ";
+                       }
                        print $cgi->a({-href => href(action=>"history", hash_base=>$hash,
                                                     file_name=>$diff{'file'})},
                                      "history");
@@ -1981,33 +2158,36 @@ sub git_difftree_body {
                        print "<td>" .
                              $cgi->a({-href => href(action=>"blob", hash_base=>$hash,
                                                     hash=>$diff{'to_id'}, file_name=>$diff{'to_file'}),
-                                     -class => "list"}, esc_html($diff{'to_file'})) . "</td>\n" .
+                                     -class => "list"}, esc_path($diff{'to_file'})) . "</td>\n" .
                              "<td><span class=\"file_status $nstatus\">[$nstatus from " .
                              $cgi->a({-href => href(action=>"blob", hash_base=>$parent,
                                                     hash=>$diff{'from_id'}, file_name=>$diff{'from_file'}),
-                                     -class => "list"}, esc_html($diff{'from_file'})) .
+                                     -class => "list"}, esc_path($diff{'from_file'})) .
                              " with " . (int $diff{'similarity'}) . "% similarity$mode_chng]</span></td>\n" .
                              "<td class=\"link\">";
-                       if ($diff{'to_id'} ne $diff{'from_id'}) {
-                               if ($action eq 'commitdiff') {
-                                       # link to patch
-                                       $patchno++;
-                                       print $cgi->a({-href => "#patch$patchno"}, "patch");
-                               } else {
-                                       print $cgi->a({-href => href(action=>"blobdiff",
-                                                                    hash=>$diff{'to_id'}, hash_parent=>$diff{'from_id'},
-                                                                    hash_base=>$hash, hash_parent_base=>$parent,
-                                                                    file_name=>$diff{'to_file'}, file_parent=>$diff{'from_file'})},
-                                                     "diff");
-                               }
-                               print " | ";
+                       if ($action eq 'commitdiff') {
+                               # link to patch
+                               $patchno++;
+                               print $cgi->a({-href => "#patch$patchno"}, "patch") .
+                                     " | ";
+                       } elsif ($diff{'to_id'} ne $diff{'from_id'}) {
+                               # "commit" view and modified file (not only pure rename or copy)
+                               print $cgi->a({-href => href(action=>"blobdiff",
+                                                            hash=>$diff{'to_id'}, hash_parent=>$diff{'from_id'},
+                                                            hash_base=>$hash, hash_parent_base=>$parent,
+                                                            file_name=>$diff{'to_file'}, file_parent=>$diff{'from_file'})},
+                                             "diff") .
+                                     " | ";
                        }
                        print $cgi->a({-href => href(action=>"blob", hash=>$diff{'from_id'},
                                                     hash_base=>$parent, file_name=>$diff{'from_file'})},
                                      "blob") . " | ";
-                       print $cgi->a({-href => href(action=>"blame", hash_base=>$parent,
-                                                    file_name=>$diff{'from_file'})},
-                                     "blame") . " | ";
+                       if ($have_blame) {
+                               print $cgi->a({-href => href(action=>"blame",
+                                                            hash_base=>$hash,
+                                                            file_name=>$diff{'to_file'})},
+                                             "blame") . " | ";
+                       }
                        print $cgi->a({-href => href(action=>"history", hash_base=>$parent,
                                                    file_name=>$diff{'from_file'})},
                                      "history");
@@ -2026,6 +2206,7 @@ sub git_patchset_body {
        my $in_header = 0;
        my $patch_found = 0;
        my $diffinfo;
+       my (%from, %to);
 
        print "<div class=\"patchset\">\n";
 
@@ -2036,6 +2217,10 @@ sub git_patchset_body {
                if ($patch_line =~ m/^diff /) { # "git diff" header
                        # beginning of patch (in patchset)
                        if ($patch_found) {
+                               # close extended header for previous empty patch
+                               if ($in_header) {
+                                       print "</div>\n" # class="diff extended_header"
+                               }
                                # close previous patch
                                print "</div>\n"; # class="patch"
                        } else {
@@ -2044,96 +2229,113 @@ sub git_patchset_body {
                        }
                        print "<div class=\"patch\" id=\"patch". ($patch_idx+1) ."\">\n";
 
+                       # read and prepare patch information
                        if (ref($difftree->[$patch_idx]) eq "HASH") {
+                               # pre-parsed (or generated by hand)
                                $diffinfo = $difftree->[$patch_idx];
                        } else {
                                $diffinfo = parse_difftree_raw_line($difftree->[$patch_idx]);
                        }
+                       $from{'file'} = $diffinfo->{'from_file'} || $diffinfo->{'file'};
+                       $to{'file'}   = $diffinfo->{'to_file'}   || $diffinfo->{'file'};
+                       if ($diffinfo->{'status'} ne "A") { # not new (added) file
+                               $from{'href'} = href(action=>"blob", hash_base=>$hash_parent,
+                                                    hash=>$diffinfo->{'from_id'},
+                                                    file_name=>$from{'file'});
+                       }
+                       if ($diffinfo->{'status'} ne "D") { # not deleted file
+                               $to{'href'} = href(action=>"blob", hash_base=>$hash,
+                                                  hash=>$diffinfo->{'to_id'},
+                                                  file_name=>$to{'file'});
+                       }
                        $patch_idx++;
 
-                       # for now, no extended header, hence we skip empty patches
-                       # companion to  next LINE if $in_header;
-                       if ($diffinfo->{'from_id'} eq $diffinfo->{'to_id'}) { # no change
-                               $in_header = 1;
-                               next LINE;
+                       # print "git diff" header
+                       $patch_line =~ s!^(diff (.*?) )"?a/.*$!$1!;
+                       if ($from{'href'}) {
+                               $patch_line .= $cgi->a({-href => $from{'href'}, -class => "path"},
+                                                      'a/' . esc_path($from{'file'}));
+                       } else { # file was added
+                               $patch_line .= 'a/' . esc_path($from{'file'});
                        }
-
-                       if ($diffinfo->{'status'} eq "A") { # added
-                               print "<div class=\"diff_info\">" . file_type($diffinfo->{'to_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash,
-                                                            hash=>$diffinfo->{'to_id'}, file_name=>$diffinfo->{'file'})},
-                                             $diffinfo->{'to_id'}) . " (new)" .
-                                     "</div>\n"; # class="diff_info"
-
-                       } elsif ($diffinfo->{'status'} eq "D") { # deleted
-                               print "<div class=\"diff_info\">" . file_type($diffinfo->{'from_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash_parent,
-                                                            hash=>$diffinfo->{'from_id'}, file_name=>$diffinfo->{'file'})},
-                                             $diffinfo->{'from_id'}) . " (deleted)" .
-                                     "</div>\n"; # class="diff_info"
-
-                       } elsif ($diffinfo->{'status'} eq "R" || # renamed
-                                $diffinfo->{'status'} eq "C" || # copied
-                                $diffinfo->{'status'} eq "2") { # with two filenames (from git_blobdiff)
-                               print "<div class=\"diff_info\">" .
-                                     file_type($diffinfo->{'from_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash_parent,
-                                                            hash=>$diffinfo->{'from_id'}, file_name=>$diffinfo->{'from_file'})},
-                                             $diffinfo->{'from_id'}) .
-                                     " -> " .
-                                     file_type($diffinfo->{'to_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash,
-                                                            hash=>$diffinfo->{'to_id'}, file_name=>$diffinfo->{'to_file'})},
-                                             $diffinfo->{'to_id'});
-                               print "</div>\n"; # class="diff_info"
-
-                       } else { # modified, mode changed, ...
-                               print "<div class=\"diff_info\">" .
-                                     file_type($diffinfo->{'from_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash_parent,
-                                                            hash=>$diffinfo->{'from_id'}, file_name=>$diffinfo->{'file'})},
-                                             $diffinfo->{'from_id'}) .
-                                     " -> " .
-                                     file_type($diffinfo->{'to_mode'}) . ":" .
-                                     $cgi->a({-href => href(action=>"blob", hash_base=>$hash,
-                                                            hash=>$diffinfo->{'to_id'}, file_name=>$diffinfo->{'file'})},
-                                             $diffinfo->{'to_id'});
-                               print "</div>\n"; # class="diff_info"
+                       $patch_line .= ' ';
+                       if ($to{'href'}) {
+                               $patch_line .= $cgi->a({-href => $to{'href'}, -class => "path"},
+                                                      'b/' . esc_path($to{'file'}));
+                       } else { # file was deleted
+                               $patch_line .= 'b/' . esc_path($to{'file'});
                        }
 
-                       #print "<div class=\"diff extended_header\">\n";
+                       print "<div class=\"diff header\">$patch_line</div>\n";
+                       print "<div class=\"diff extended_header\">\n";
                        $in_header = 1;
                        next LINE;
-               } # start of patch in patchset
+               }
 
+               if ($in_header) {
+                       if ($patch_line !~ m/^---/) {
+                               # match <path>
+                               if ($patch_line =~ s!^((copy|rename) from ).*$!$1! && $from{'href'}) {
+                                       $patch_line .= $cgi->a({-href=>$from{'href'}, -class=>"path"},
+                                                               esc_path($from{'file'}));
+                               }
+                               if ($patch_line =~ s!^((copy|rename) to ).*$!$1! && $to{'href'}) {
+                                       $patch_line = $cgi->a({-href=>$to{'href'}, -class=>"path"},
+                                                             esc_path($to{'file'}));
+                               }
+                               # match <mode>
+                               if ($patch_line =~ m/\s(\d{6})$/) {
+                                       $patch_line .= '<span class="info"> (' .
+                                                      file_type_long($1) .
+                                                      ')</span>';
+                               }
+                               # match <hash>
+                               if ($patch_line =~ m/^index/) {
+                                       my ($from_link, $to_link);
+                                       if ($from{'href'}) {
+                                               $from_link = $cgi->a({-href=>$from{'href'}, -class=>"hash"},
+                                                                    substr($diffinfo->{'from_id'},0,7));
+                                       } else {
+                                               $from_link = '0' x 7;
+                                       }
+                                       if ($to{'href'}) {
+                                               $to_link = $cgi->a({-href=>$to{'href'}, -class=>"hash"},
+                                                                  substr($diffinfo->{'to_id'},0,7));
+                                       } else {
+                                               $to_link = '0' x 7;
+                                       }
+                                       my ($from_id, $to_id) = ($diffinfo->{'from_id'}, $diffinfo->{'to_id'});
+                                       $patch_line =~ s!$from_id\.\.$to_id!$from_link..$to_link!;
+                               }
+                               print $patch_line . "<br/>\n";
 
-               if ($in_header && $patch_line =~ m/^---/) {
-                       #print "</div>\n"; # class="diff extended_header"
-                       $in_header = 0;
+                       } else {
+                               #$in_header && $patch_line =~ m/^---/;
+                               print "</div>\n"; # class="diff extended_header"
+                               $in_header = 0;
+
+                               if ($from{'href'}) {
+                                       $patch_line = '--- a/' .
+                                                     $cgi->a({-href=>$from{'href'}, -class=>"path"},
+                                                             esc_path($from{'file'}));
+                               }
+                               print "<div class=\"diff from_file\">$patch_line</div>\n";
 
-                       my $file = $diffinfo->{'from_file'};
-                       $file  ||= $diffinfo->{'file'};
-                       $file = $cgi->a({-href => href(action=>"blob", hash_base=>$hash_parent,
-                                                      hash=>$diffinfo->{'from_id'}, file_name=>$file),
-                                       -class => "list"}, esc_html($file));
-                       $patch_line =~ s|a/.*$|a/$file|g;
-                       print "<div class=\"diff from_file\">$patch_line</div>\n";
+                               $patch_line = <$fd>;
+                               chomp $patch_line;
 
-                       $patch_line = <$fd>;
-                       chomp $patch_line;
+                               #$patch_line =~ m/^+++/;
+                               if ($to{'href'}) {
+                                       $patch_line = '+++ b/' .
+                                                     $cgi->a({-href=>$to{'href'}, -class=>"path"},
+                                                             esc_path($to{'file'}));
+                               }
+                               print "<div class=\"diff to_file\">$patch_line</div>\n";
 
-                       #$patch_line =~ m/^+++/;
-                       $file    = $diffinfo->{'to_file'};
-                       $file  ||= $diffinfo->{'file'};
-                       $file = $cgi->a({-href => href(action=>"blob", hash_base=>$hash,
-                                                      hash=>$diffinfo->{'to_id'}, file_name=>$file),
-                                       -class => "list"}, esc_html($file));
-                       $patch_line =~ s|b/.*|b/$file|g;
-                       print "<div class=\"diff to_file\">$patch_line</div>\n";
+                       }
 
                        next LINE;
                }
-               next LINE if $in_header;
 
                print format_diff_line($patch_line);
        }
@@ -2144,6 +2346,131 @@ sub git_patchset_body {
 
 # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
+sub git_project_list_body {
+       my ($projlist, $order, $from, $to, $extra, $no_header) = @_;
+
+       my ($check_forks) = gitweb_check_feature('forks');
+
+       my @projects;
+       foreach my $pr (@$projlist) {
+               my (@aa) = git_get_last_activity($pr->{'path'});
+               unless (@aa) {
+                       next;
+               }
+               ($pr->{'age'}, $pr->{'age_string'}) = @aa;
+               if (!defined $pr->{'descr'}) {
+                       my $descr = git_get_project_description($pr->{'path'}) || "";
+                       $pr->{'descr'} = chop_str($descr, 25, 5);
+               }
+               if (!defined $pr->{'owner'}) {
+                       $pr->{'owner'} = get_file_owner("$projectroot/$pr->{'path'}") || "";
+               }
+               if ($check_forks) {
+                       my $pname = $pr->{'path'};
+                       if (($pname =~ s/\.git$//) &&
+                           ($pname !~ /\/$/) &&
+                           (-d "$projectroot/$pname")) {
+                               $pr->{'forks'} = "-d $projectroot/$pname";
+                       }
+                       else {
+                               $pr->{'forks'} = 0;
+                       }
+               }
+               push @projects, $pr;
+       }
+
+       $order ||= "project";
+       $from = 0 unless defined $from;
+       $to = $#projects if (!defined $to || $#projects < $to);
+
+       print "<table class=\"project_list\">\n";
+       unless ($no_header) {
+               print "<tr>\n";
+               if ($check_forks) {
+                       print "<th></th>\n";
+               }
+               if ($order eq "project") {
+                       @projects = sort {$a->{'path'} cmp $b->{'path'}} @projects;
+                       print "<th>Project</th>\n";
+               } else {
+                       print "<th>" .
+                             $cgi->a({-href => href(project=>undef, order=>'project'),
+                                      -class => "header"}, "Project") .
+                             "</th>\n";
+               }
+               if ($order eq "descr") {
+                       @projects = sort {$a->{'descr'} cmp $b->{'descr'}} @projects;
+                       print "<th>Description</th>\n";
+               } else {
+                       print "<th>" .
+                             $cgi->a({-href => href(project=>undef, order=>'descr'),
+                                      -class => "header"}, "Description") .
+                             "</th>\n";
+               }
+               if ($order eq "owner") {
+                       @projects = sort {$a->{'owner'} cmp $b->{'owner'}} @projects;
+                       print "<th>Owner</th>\n";
+               } else {
+                       print "<th>" .
+                             $cgi->a({-href => href(project=>undef, order=>'owner'),
+                                      -class => "header"}, "Owner") .
+                             "</th>\n";
+               }
+               if ($order eq "age") {
+                       @projects = sort {$a->{'age'} <=> $b->{'age'}} @projects;
+                       print "<th>Last Change</th>\n";
+               } else {
+                       print "<th>" .
+                             $cgi->a({-href => href(project=>undef, order=>'age'),
+                                      -class => "header"}, "Last Change") .
+                             "</th>\n";
+               }
+               print "<th></th>\n" .
+                     "</tr>\n";
+       }
+       my $alternate = 1;
+       for (my $i = $from; $i <= $to; $i++) {
+               my $pr = $projects[$i];
+               if ($alternate) {
+                       print "<tr class=\"dark\">\n";
+               } else {
+                       print "<tr class=\"light\">\n";
+               }
+               $alternate ^= 1;
+               if ($check_forks) {
+                       print "<td>";
+                       if ($pr->{'forks'}) {
+                               print "<!-- $pr->{'forks'} -->\n";
+                               print $cgi->a({-href => href(project=>$pr->{'path'}, action=>"forks")}, "+");
+                       }
+                       print "</td>\n";
+               }
+               print "<td>" . $cgi->a({-href => href(project=>$pr->{'path'}, action=>"summary"),
+                                       -class => "list"}, esc_html($pr->{'path'})) . "</td>\n" .
+                     "<td>" . esc_html($pr->{'descr'}) . "</td>\n" .
+                     "<td><i>" . chop_str($pr->{'owner'}, 15) . "</i></td>\n";
+               print "<td class=\"". age_class($pr->{'age'}) . "\">" .
+                     $pr->{'age_string'} . "</td>\n" .
+                     "<td class=\"link\">" .
+                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"summary")}, "summary")   . " | " .
+                     $cgi->a({-href => '/git-browser/by-commit.html?r='.$pr->{'path'}}, "graphiclog") . " | " .
+                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"log")}, "log") . " | " .
+                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"tree")}, "tree") .
+                     ($pr->{'forks'} ? " | " . $cgi->a({-href => href(project=>$pr->{'path'}, action=>"forks")}, "forks") : '') .
+                     "</td>\n" .
+                     "</tr>\n";
+       }
+       if (defined $extra) {
+               print "<tr>\n";
+               if ($check_forks) {
+                       print "<td></td>\n";
+               }
+               print "<td colspan=\"5\">$extra</td>\n" .
+                     "</tr>\n";
+       }
+       print "</table>\n";
+}
+
 sub git_shortlog_body {
        # uses global variable $project
        my ($revlist, $from, $to, $refs, $extra) = @_;
@@ -2264,8 +2591,7 @@ sub git_tags_body {
        for (my $i = $from; $i <= $to; $i++) {
                my $entry = $taglist->[$i];
                my %tag = %$entry;
-               my $comment_lines = $tag{'comment'};
-               my $comment = shift @$comment_lines;
+               my $comment = $tag{'subject'};
                my $comment_short;
                if (defined $comment) {
                        $comment_short = chop_str($comment, 30, 5);
@@ -2298,7 +2624,7 @@ sub git_tags_body {
                      $cgi->a({-href => href(action=>$tag{'reftype'}, hash=>$tag{'refid'})}, $tag{'reftype'});
                if ($tag{'reftype'} eq "commit") {
                        print " | " . $cgi->a({-href => href(action=>"shortlog", hash=>$tag{'name'})}, "shortlog") .
-                             " | " . $cgi->a({-href => href(action=>"log", hash=>$tag{'refid'})}, "log");
+                             " | " . $cgi->a({-href => href(action=>"log", hash=>$tag{'name'})}, "log");
                } elsif ($tag{'reftype'} eq "blob") {
                        print " | " . $cgi->a({-href => href(action=>"blob_plain", hash=>$tag{'refid'})}, "raw");
                }
@@ -2323,23 +2649,23 @@ sub git_heads_body {
        my $alternate = 1;
        for (my $i = $from; $i <= $to; $i++) {
                my $entry = $headlist->[$i];
-               my %tag = %$entry;
-               my $curr = $tag{'id'} eq $head;
+               my %ref = %$entry;
+               my $curr = $ref{'id'} eq $head;
                if ($alternate) {
                        print "<tr class=\"dark\">\n";
                } else {
                        print "<tr class=\"light\">\n";
                }
                $alternate ^= 1;
-               print "<td><i>$tag{'age'}</i></td>\n" .
-                     ($tag{'id'} eq $head ? "<td class=\"current_head\">" : "<td>") .
-                     $cgi->a({-href => href(action=>"shortlog", hash=>$tag{'name'}),
-                              -class => "list name"},esc_html($tag{'name'})) .
+               print "<td><i>$ref{'age'}</i></td>\n" .
+                     ($curr ? "<td class=\"current_head\">" : "<td>") .
+                     $cgi->a({-href => href(action=>"shortlog", hash=>$ref{'name'}),
+                              -class => "list name"},esc_html($ref{'name'})) .
                      "</td>\n" .
                      "<td class=\"link\">" .
-                     $cgi->a({-href => href(action=>"shortlog", hash=>$tag{'name'})}, "shortlog") . " | " .
-                     $cgi->a({-href => href(action=>"log", hash=>$tag{'name'})}, "log") . " | " .
-                     $cgi->a({-href => href(action=>"tree", hash=>$tag{'name'}, hash_base=>$tag{'name'})}, "tree") .
+                     $cgi->a({-href => href(action=>"shortlog", hash=>$ref{'name'})}, "shortlog") . " | " .
+                     $cgi->a({-href => href(action=>"log", hash=>$ref{'name'})}, "log") . " | " .
+                     $cgi->a({-href => href(action=>"tree", hash=>$ref{'name'}, hash_base=>$ref{'name'})}, "tree") .
                      "</td>\n" .
                      "</tr>";
        }
@@ -2362,25 +2688,9 @@ sub git_project_list {
        }
 
        my @list = git_get_projects_list();
-       my @projects;
        if (!@list) {
                die_error(undef, "No projects found");
        }
-       foreach my $pr (@list) {
-               my (@aa) = git_get_last_activity($pr->{'path'});
-               unless (@aa) {
-                       next;
-               }
-               ($pr->{'age'}, $pr->{'age_string'}) = @aa;
-               if (!defined $pr->{'descr'}) {
-                       my $descr = git_get_project_description($pr->{'path'}) || "";
-                       $pr->{'descr'} = chop_str($descr, 25, 5);
-               }
-               if (!defined $pr->{'owner'}) {
-                       $pr->{'owner'} = get_file_owner("$projectroot/$pr->{'path'}") || "";
-               }
-               push @projects, $pr;
-       }
 
        git_header_html();
        if (-f $home_text) {
@@ -2390,75 +2700,30 @@ sub git_project_list {
                close $fd;
                print "</div>\n";
        }
-       print "<table class=\"project_list\">\n" .
-             "<tr>\n";
-       $order ||= "project";
-       if ($order eq "project") {
-               @projects = sort {$a->{'path'} cmp $b->{'path'}} @projects;
-               print "<th>Project</th>\n";
-       } else {
-               print "<th>" .
-                     $cgi->a({-href => href(project=>undef, order=>'project'),
-                              -class => "header"}, "Project") .
-                     "</th>\n";
-       }
-       if ($order eq "descr") {
-               @projects = sort {$a->{'descr'} cmp $b->{'descr'}} @projects;
-               print "<th>Description</th>\n";
-       } else {
-               print "<th>" .
-                     $cgi->a({-href => href(project=>undef, order=>'descr'),
-                              -class => "header"}, "Description") .
-                     "</th>\n";
-       }
-       if ($order eq "owner") {
-               @projects = sort {$a->{'owner'} cmp $b->{'owner'}} @projects;
-               print "<th>Owner</th>\n";
-       } else {
-               print "<th>" .
-                     $cgi->a({-href => href(project=>undef, order=>'owner'),
-                              -class => "header"}, "Owner") .
-                     "</th>\n";
-       }
-       if ($order eq "age") {
-               @projects = sort {$a->{'age'} <=> $b->{'age'}} @projects;
-               print "<th>Last Change</th>\n";
-       } else {
-               print "<th>" .
-                     $cgi->a({-href => href(project=>undef, order=>'age'),
-                              -class => "header"}, "Last Change") .
-                     "</th>\n";
+       git_project_list_body(\@list, $order);
+       git_footer_html();
+}
+
+sub git_forks {
+       my $order = $cgi->param('o');
+       if (defined $order && $order !~ m/project|descr|owner|age/) {
+               die_error(undef, "Unknown order parameter");
        }
-       print "<th></th>\n" .
-             "</tr>\n";
-       my $alternate = 1;
-       foreach my $pr (@projects) {
-               if ($alternate) {
-                       print "<tr class=\"dark\">\n";
-               } else {
-                       print "<tr class=\"light\">\n";
-               }
-               $alternate ^= 1;
-               print "<td>" . $cgi->a({-href => href(project=>$pr->{'path'}, action=>"summary"),
-                                       -class => "list"}, esc_html($pr->{'path'})) . "</td>\n" .
-                     "<td>" . esc_html($pr->{'descr'}) . "</td>\n" .
-                     "<td><i>" . chop_str($pr->{'owner'}, 15) . "</i></td>\n";
-               print "<td class=\"". age_class($pr->{'age'}) . "\">" .
-                     $pr->{'age_string'} . "</td>\n" .
-                     "<td class=\"link\">" .
-                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"summary")}, "summary")   . " | " .
-                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"shortlog")}, "shortlog") . " | " .
-                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"log")}, "log") . " | " .
-                     $cgi->a({-href => href(project=>$pr->{'path'}, action=>"tree")}, "tree") .
-                     "</td>\n" .
-                     "</tr>\n";
+
+       my @list = git_get_projects_list($project);
+       if (!@list) {
+               die_error(undef, "No forks found");
        }
-       print "</table>\n";
+
+       git_header_html();
+       git_print_page_nav('','');
+       git_print_header_div('summary', "$project forks");
+       git_project_list_body(\@list, $order);
        git_footer_html();
 }
 
 sub git_project_index {
-       my @projects = git_get_projects_list();
+       my @projects = git_get_projects_list($project);
 
        print $cgi->header(
                -type => 'text/plain',
@@ -2489,17 +2754,14 @@ sub git_summary {
 
        my $owner = git_get_project_owner($project);
 
-       my ($reflist, $refs) = git_get_refs_list();
+       my $refs = git_get_references();
+       my @taglist  = git_get_tags_list(15);
+       my @headlist = git_get_heads_list(15);
+       my @forklist;
+       my ($check_forks) = gitweb_check_feature('forks');
 
-       my @taglist;
-       my @headlist;
-       foreach my $ref (@$reflist) {
-               if ($ref->{'name'} =~ s!^heads/!!) {
-                       push @headlist, $ref;
-               } else {
-                       $ref->{'name'} =~ s!^tags/!!;
-                       push @taglist, $ref;
-               }
+       if ($check_forks) {
+               @forklist = git_get_projects_list($project);
        }
 
        git_header_html();
@@ -2551,6 +2813,13 @@ sub git_summary {
                               $cgi->a({-href => href(action=>"heads")}, "..."));
        }
 
+       if (@forklist) {
+               git_print_header_div('forks');
+               git_project_list_body(\@forklist, undef, 0, 15,
+                                     $cgi->a({-href => href(action=>"forks")}, "..."),
+                                     'noheader');
+       }
+
        git_footer_html();
 }
 
@@ -2581,6 +2850,7 @@ sub git_tag {
        print "<div class=\"page_body\">";
        my $comment = $tag{'comment'};
        foreach my $line (@$comment) {
+               chomp($line);
                print esc_html($line) . "<br/>\n";
        }
        print "</div>\n";
@@ -2650,6 +2920,7 @@ sub git_blame2 {
                        }
                }
                my $data = $_;
+               chomp($data);
                my $rev = substr($full_rev, 0, 8);
                my $author = $meta->{'author'};
                my %date = parse_date($meta->{'author-time'},
@@ -2792,9 +3063,9 @@ sub git_tags {
        git_print_page_nav('','', $head,undef,$head);
        git_print_header_div('summary', $project);
 
-       my ($taglist) = git_get_refs_list("tags");
-       if (@$taglist) {
-               git_tags_body($taglist);
+       my @tagslist = git_get_tags_list();
+       if (@tagslist) {
+               git_tags_body(\@tagslist);
        }
        git_footer_html();
 }
@@ -2805,9 +3076,9 @@ sub git_heads {
        git_print_page_nav('','', $head,undef,$head);
        git_print_header_div('summary', $project);
 
-       my ($headlist) = git_get_refs_list("heads");
-       if (@$headlist) {
-               git_heads_body($headlist, $head);
+       my @headslist = git_get_heads_list();
+       if (@headslist) {
+               git_heads_body(\@headslist, $head);
        }
        git_footer_html();
 }
@@ -2920,7 +3191,7 @@ sub git_blob {
                $nr++;
                $line = untabify($line);
                printf "<div class=\"pre\"><a id=\"l%i\" href=\"#l%i\" class=\"linenr\">%4i</a> %s</div>\n",
-                      $nr, $nr, $nr, esc_html($line);
+                      $nr, $nr, $nr, esc_html($line, -nbsp=>1);
        }
        close $fd
                or print "Reading blob failed.\n";
@@ -3378,8 +3649,8 @@ sub git_blobdiff {
 
        } else {
                while (my $line = <$fd>) {
-                       $line =~ s!a/($hash|$hash_parent)!'a/'.esc_html($diffinfo{'from_file'})!eg;
-                       $line =~ s!b/($hash|$hash_parent)!'b/'.esc_html($diffinfo{'to_file'})!eg;
+                       $line =~ s!a/($hash|$hash_parent)!'a/'.esc_path($diffinfo{'from_file'})!eg;
+                       $line =~ s!b/($hash|$hash_parent)!'b/'.esc_path($diffinfo{'to_file'})!eg;
 
                        print $line;
 
@@ -3736,7 +4007,7 @@ sub git_search {
                                                print $cgi->a({-href => href(action=>"blob", hash_base=>$co{'id'},
                                                                             hash=>$set{'id'}, file_name=>$set{'file'}),
                                                              -class => "list"},
-                                                             "<span class=\"match\">" . esc_html($set{'file'}) . "</span>") .
+                                                             "<span class=\"match\">" . esc_path($set{'file'}) . "</span>") .
                                                      "<br/>\n";
                                        }
                                        print "</td>\n" .
@@ -3871,7 +4142,7 @@ sub git_rss {
                        if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) {
                                next;
                        }
-                       my $file = esc_html(unquote($7));
+                       my $file = esc_path(unquote($7));
                        $file = to_utf8($file);
                        print "$file<br/>\n";
                }