XSS/Input and request params validation

[GoogleCodeExporter]

Description:
    GitBlit is not validating or cleaning the input via request parameters.
Steps to reproduce the problem:
1.  Open Firefox (Chrome and IE block most XSS)
2.  Login to GitBlit
3.  Paste the following url into gitblit (filling in the server and repository 
info):
    https://<server>/history/?r=<repository>&h=refs/heads/master<script>alert(“hi”)</script>
    https://<server>/log/?r=<repository>&h=refs/heads/master<script>alert(“hi”)</script>
6.  Observe the javascript alert
Expected Output:
    An error message stating the input was invalid.
Actual Output:
    The execution of the javascript alert injected with the h parameter
Environment:
    Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp

Original issue reported on code.google.com by 1988pors...@gmail.com on 5 Sep 2014 at 1:45

[GoogleCodeExporter]

I have a preliminary fix for this, but I'm still considering if I am taking the 
right approach.

Original comment by James.Mo...@gmail.com on 5 Sep 2014 at 11:24

[GoogleCodeExporter]

An XSS filter based on JSoup has been merged to master & develop.

This filter will strip out all html elements for url parameters and any 
non-whitelisted HTML elements from form inputs, markup docs, and optionally 
commit messages.  The whitelist is based in part on stock JSoup and GitHub's 
documented html sanitizer.

Original comment by James.Mo...@gmail.com on 7 Sep 2014 at 4:59

• Changed state: Queued
• Added labels: Milestone-1.6.1

[GoogleCodeExporter]

v1.6.1 released

Original comment by James.Mo...@gmail.com on 20 Oct 2014 at 9:36

• Changed state: Done