Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote: > Same question here -- XSS potential? This is the one that worries me. But actually, Git strips "<", ">" and "\n" from GIT_*_NAME, so the question becomes whether we can manually construct a Git object to exploit this. I think the parsing.c::parse_user() function then saves us by stopping the name as soon as it hits "<". So there cannot be any way to insert HTML elements here. ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
Same question here -- XSS potential? ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
Everywhere else we use html_txt to escape any special characters in
these variables. Do so here as well.
Signed-off-by: John Keeping
---
I spotted this while looking at Jason's jd/gravatar series. The
following two patches cover other similar issues I spotted while
auditing all uses of "html()". I think everything else is OK.
ui-refs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ui-refs.c b/ui-refs.c
index 20c91e3..c97b0c6 100644
--- a/ui-refs.c
+++ b/ui-refs.c
@@ -155,9 +155,9 @@ static int print_tag(struct refinfo *ref)
html("");
if (info) {
if (info->tagger)
- html(info->tagger);
+ html_txt(info->tagger);
} else if (ref->object->type == OBJ_COMMIT) {
- html(ref->commit->author);
+ html_txt(ref->commit->author);
}
html("");
if (info) {
--
1.8.5.226.g0d60d77
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit
