Re: html page display via cgit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sep 1, 2010, at 3:06 AM, Ævar Arnfjörð Bjarmason wrote:


On Wed, Sep 1, 2010 at 10:00, Joshua Juran <jjuran@xxxxxxxxx> wrote:

On Sep 1, 2010, at 2:46 AM, Ævar Arnfjörð Bjarmason wrote:
On Wed, Sep 1, 2010 at 09:32, Shivdas Gujare <shivdas.tech@xxxxxxxxx> 
wrote:


I hope, this is the right mailing list for cgit as well.
I am trying to add some "html logs" inside cgit, but I can't open
these logs via cgit inside firefox, i.e. cgit open every files in
"plain" format,
would like to know if it is possible to open "html" pages inside cgit so that if I click on html page added into git, it opens in html and 
not in plain format.

for example:
if I click on "download.html" from
"http://cgit.freedesktop.org/~lb/mesa/tree/docs"; it shows a raw file 
as "http://cgit.freedesktop.org/~lb/mesa/tree/docs/download.html";
and if I click on "plain" it opens in firefox like
"http://cgit.freedesktop.org/~lb/mesa/plain/docs/download.html";
but here I am trying to open this "download.html" inside cgit so that 
I can view it like html web page and not as "plain" text file.

Thanks for any help or pointers.
I don't know, but that's probably deliberate. You're viewing a / plain/ 
link, which should be the equivalent of "git show".
There's also XSS security implications to serving things as text/ html on a shared hosting site if the main site serves cookies or otherwise 
has user logins.
One solution is parse the content server-side and re-render as sanitized HTML. In addition to stripping out scripts and frames, this would avoid sending broken markup produced by someone else under your name, or serving 
up otherwise well-formed XHTML as text/html.


Yes, but have you seen programs that try to secure arbitrary
user-supplied HTML like this? It isn't pretty, and very hard to get
right.
I haven't looked at any. I'm not suggesting tweaking the HTML, but replacing it outright. Use a whitelist of elements and attributes; everything else gets dropped, including comments. I'm not a security expert, but my assessment is that this does the job. 

Josh


--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]