gitweb: esc_html (short) error message in die_error

The error message (second argument to die_error) is meant to be short,
one-line text description of given error.  A few callers call
die_error with error message containing unescaped user supplied data
($hash, $file_name).  Instead of forcing callers to escape data,
simply call esc_html on the parameter.

Note that optional third parameter, which contains detailed error
description, is meant to be HTML formatted, and therefore should be
not escaped.

While at it update esc_html synopsis/usage, and bring default error
description to read 'Internal Server Error' (titlecased).

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 1f6978ac1f3ca2f915c5b87d8b196ee1e0e52aca..2ccbb6aa3482924263ff0a110891cab82f71575c 100755 (executable)
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -3372,7 +3372,7 @@ sub git_footer_html {
              "</html>";
 }
 
-# die_error(<http_status_code>, <error_message>)
+# die_error(<http_status_code>, <error_message>[, <detailed_html_description>])
 # Example: die_error(404, 'Hash not found')
 # By convention, use the following status codes (as defined in RFC 2616):
 # 400: Invalid or missing CGI parameters, or
@@ -3387,7 +3387,7 @@ sub git_footer_html {
 #      or down for maintenance).  Generally, this is a temporary state.
 sub die_error {
        my $status = shift || 500;
-       my $error = shift || "Internal server error";
+       my $error = esc_html(shift || "Internal Server Error");
        my $extra = shift;
 
        my %http_responses = (