[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
john at keeping.me.uk
Sun Jan 12 23:17:43 CET 2014
On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote:
> Same question here -- XSS potential?
This is the one that worries me. But actually, Git strips "<", ">" and
"\n" from GIT_*_NAME, so the question becomes whether we can manually
construct a Git object to exploit this.
I think the parsing.c::parse_user() function then saves us by stopping
the name as soon as it hits "<". So there cannot be any way to insert
HTML elements here.
More information about the CGit