On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote: > Same question here -- XSS potential?
This is the one that worries me. But actually, Git strips "<", ">" and "\n" from GIT_*_NAME, so the question becomes whether we can manually construct a Git object to exploit this. I think the parsing.c::parse_user() function then saves us by stopping the name as soon as it hits "<". So there cannot be any way to insert HTML elements here. _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
