---------- Forwarded message ---------- From: Michael Krelin <[email protected]> Date: Fri, Jan 15, 2016 at 7:17 PM Subject: Re: XSS in cgit To: "Jason A. Donenfeld" <[email protected]> Cc: "[email protected]" <[email protected]>
Hey, I can’t remember all the details (2008!), but the main idea was to feed the URL directly to something that would process it according to the content type header. In particular, I believe I linked xml files using xinclude from another xml processed by xsltproc and generating some html. And maybe linked some pictures too. It’s been a while since I’ve done that though I think I still use that setup (haven’t updated cgit there for a while tho). That is not to say you’ve done me wrong by removing the feature, I’m not in the position to judge without diving deeper into background of the change ;-) Love, H _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
