XSS filtering mangles file paths

tomaswolf / gerrit-gitblit-plugin

Integrates standard GitBlit (currently 1.7.1) as a repository viewer in Gerrit

Apache License 2.0

22 stars 5 forks source link

XSS filtering mangles file paths #3

Closed tomaswolf closed 9 years ago

tomaswolf commented 9 years ago

GitBlit's XSS filtering of request parameters is broken. It replaces a lot of non-ASCII (7bit) characters, but also <, &, and so on, by HTML entities. That may make sense when processing markdown and putting that into HTML, but for parameters in URL requests, this breaks things further down the line. If your repository has a file named "à.txt", GitBlit won't be able to find it because it'll end up looking for a file named "à.txt".

More GitBlit fixing needed here.

tomaswolf commented 9 years ago

This is an upstream bug in GitBlit: bug 526.

tomaswolf commented 9 years ago

Fixed on master in commit 46ede54.