Jeff King <peff@xxxxxxxx> writes: > This series fixes an XSS issue reported to the git-security list where > gitweb doesn't always quote its base url, meaning a specially-crafted > URL can inject HTML into the finished page. Given the relatively low > severity of the problem and my lack of familiarity with gitweb, it makes > sense to me to just discuss this one in the open. > > Credit for the finding the problem (and some patient explanations) goes > to NAKAYAMA DAISUKE <nakyamad@xxxxxxxxxx>. > > [1/4]: t9502: pass along all arguments in xss helper > [2/4]: t/gitweb-lib.sh: drop confusing quotes > [3/4]: t/gitweb-lib.sh: set $REQUEST_URI > [4/4]: gitweb: escape URLs generated by href() > > gitweb/gitweb.perl | 31 +++++++++++++---------- > t/gitweb-lib.sh | 7 ++--- > t/t9502-gitweb-standalone-parse-output.sh | 7 ++--- > 3 files changed, 25 insertions(+), 20 deletions(-) > > -Peff Thanks, will queue.
