Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote: > Same question here -- XSS potential? This is the one that worries me. But actually, Git strips "<", ">" and "\n" from GIT_*_NAME, so the question becomes whether we can manually construct a Git object to exploit this. I think the parsing.c::parse_user() function then saves us by stopping the name as soon as it hits "<". So there cannot be any way to insert HTML elements here. ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
Same question here -- XSS potential? ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
Everywhere else we use html_txt to escape any special characters in these variables. Do so here as well. Signed-off-by: John Keeping --- I spotted this while looking at Jason's jd/gravatar series. The following two patches cover other similar issues I spotted while auditing all uses of "html()". I think everything else is OK. ui-refs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ui-refs.c b/ui-refs.c index 20c91e3..c97b0c6 100644 --- a/ui-refs.c +++ b/ui-refs.c @@ -155,9 +155,9 @@ static int print_tag(struct refinfo *ref) html(""); if (info) { if (info->tagger) - html(info->tagger); + html_txt(info->tagger); } else if (ref->object->type == OBJ_COMMIT) { - html(ref->commit->author); + html_txt(ref->commit->author); } html(""); if (info) { -- 1.8.5.226.g0d60d77 ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit