[PATCH 1/3] ui-refs: escape HTML chars in author and tagger names

John Keeping john at keeping.me.uk
Sun Jan 12 23:17:43 CET 2014

On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote:
> Same question here -- XSS potential?

This is the one that worries me.  But actually, Git strips "<", ">" and
"\n" from GIT_*_NAME, so the question becomes whether we can manually
construct a Git object to exploit this.

I think the parsing.c::parse_user() function then saves us by stopping
the name as soon as it hits "<".  So there cannot be any way to insert
HTML elements here.

More information about the CGit mailing list