![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
| author | Matt McCutchen <matt@mattmccutchen.net> | |
| Sun, 8 Feb 2009 00:00:09 +0000 (19:00 -0500) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Mon, 9 Feb 2009 05:51:25 +0000 (21:51 -0800) | ||
| commit | 7e1100e9e939c9178b2aa3969349e9e8d34488bf | |
| tree | a0238a2d09de9d5f9617e72559d5d79398836f45 | tree | snapshot |
| parent | 6e46cc0d9294d5f4ad0c9a6ffd2d9ca82bce8458 | commit | diff |
gitweb: add $prevent_xss option to prevent XSS by repository content
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.
The XSS prevention is currently off by default.
Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.
The XSS prevention is currently off by default.
Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| gitweb/README | diff | blob | history | |
| gitweb/gitweb.perl | diff | blob | history |