gitweb: esc_html (short) error message in die_error

The error message (second argument to die_error) is meant to be short,
one-line text description of given error.  A few callers call
die_error with error message containing unescaped user supplied data
($hash, $file_name).  Instead of forcing callers to escape data,
simply call esc_html on the parameter.

Note that optional third parameter, which contains detailed error
description, is meant to be HTML formatted, and therefore should be
not escaped.

While at it update esc_html synopsis/usage, and bring default error
description to read 'Internal Server Error' (titlecased).

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 1f6978ac1f..2ccbb6aa34 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -3372,7 +3372,7 @@ sub git_footer_html {
 	      "</html>";
 }
 
-# die_error(<http_status_code>, <error_message>)
+# die_error(<http_status_code>, <error_message>[, <detailed_html_description>])
 # Example: die_error(404, 'Hash not found')
 # By convention, use the following status codes (as defined in RFC 2616):
 # 400: Invalid or missing CGI parameters, or
@@ -3387,7 +3387,7 @@ sub git_footer_html {
 #      or down for maintenance).  Generally, this is a temporary state.
 sub die_error {
 	my $status = shift || 500;
-	my $error = shift || "Internal server error";
+	my $error = esc_html(shift || "Internal Server Error");
 	my $extra = shift;
 
 	my %http_responses = (