* Valentin Haenel <[email protected]> [2012-10-29]: > * Jason A. Donenfeld <[email protected]> [2012-10-28]: > > On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <[email protected]> wrote: > > >> + cgit_print_error(fmt("Authorization failed for repo: '%s' > > >> and user: '%s'", > > >> + ctx->repo->name, > > >> ctx->env.remote_user)); > > > > XSS. > > Would it be enough to use 'html_txt' from html.c: > > http://git.zx2c4.com/cgit/tree/html.c#n92 > > to prevent this?
After further investigation, I discovered that 'cgit_print_error' does 'html_txt' to do the escaping: http://git.zx2c4.com/cgit/tree/ui-shared.c#n30' V- _______________________________________________ cgit mailing list [email protected] http://hjemli.net/mailman/listinfo/cgit
