login/commits: escape html characters in commit messages

diff --git a/widget/login/commits.php b/widget/login/commits.php
index b86b6c5f8d76f2034fe722070916efd047290f47..b9cae451be89d515367d0e0c9d91a3948b4f1d1d 100644 (file)
--- a/widget/login/commits.php
+++ b/widget/login/commits.php
@@ -18,7 +18,8 @@ if ( $log = popen($gitcmd, 'r') ) {
                list ($atime, $author, $message) = explode("\t", $line, 3);
                list ($author) = explode(' ', $author); # first name only
                printf('<li>%s <small class="date">%s • %s</small></li>'."\n",
-                       $message, $author, strftime('%F %H:%M', $atime)
+                       htmlspecialchars($message),
+                       htmlspecialchars($author), strftime('%F %H:%M', $atime)
                );
                $lines++;
        }