On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote:
> Same question here -- XSS potential?
This is the one that worries me. But actually, Git strips "<", ">" and
"\n" from GIT_*_NAME, so the question becomes whether we can manually
construct a Git object to exploit this.
I think
Same question here -- XSS potential?
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit
Everywhere else we use html_txt to escape any special characters in
these variables. Do so here as well.
Signed-off-by: John Keeping
---
I spotted this while looking at Jason's jd/gravatar series. The
following two patches cover other similar issues I spotted while
auditing all uses of "html()"