On Sat, 4 Jul 2011, Matt McCutchen qrote: > On Sat, 2011-06-04 at 10:43 +0200, Jakub Narebski wrote: > > The fact that it this buglet was present for so long, since its > > introduction by Matt McCutchen in 7e1100e (gitweb: add $prevent_xss > > option to prevent XSS by repository content, 2009-02-07) without > > complaint shows that not many people are using this feature... > > Yes. Well, I'm still using it, and I found a few mentions on the web: > > https://android.git.kernel.org/?p=tools/gerrit.git;a=blob;f=gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java;h=947fbb423f1f8cf46db9876f4b80c600cdf9ee41;hb=HEAD#l193 > http://ao2.it/wiki/How_to_setup_a_GIT_server_with_gitosis_and_gitweb > http://www.digitalfoo.net/posts/2009/11/git,_gitosis,_gitweb_on_FreeBSD/ > > And there are probably others who did their own custom things (GitHub?) > before the feature was added upstream. In the future however it might be better solution for gitweb to implement (as an option) support for CSP (Content Security Policy), which IIRC did not exists in 2009, in addition to current $prevent_xss. -- Jakub Narebski Poland -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html