Merge branch 'jk/maint-gitweb-xss'

Fixes an XSS vulnerability in gitweb. * jk/maint-gitweb-xss: gitweb: escape html in rss title
author: Junio C Hamano <gitster@pobox.com> 2012-11-20 10:37:27 -0800
committer: Junio C Hamano <gitster@pobox.com> 2012-11-20 10:37:27 -0800
commit: 79a09bba1cc919f5ea0992db358fb4b14ab2c226 (patch)
tree: 40b89ba60b8c8210030eb64e519f0abd1a8ce739 /t
parent: 05849c4818342a0e0ecb597fd2452125b00d543e (diff)
parent: 0f0ecf68b31303de7cb428554e27d433fe62180e (diff)
download: git-79a09bba1cc919f5ea0992db358fb4b14ab2c226.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh
index 731e64c3ad..3a8e7d3f5a 100755
--- a/t/t9502-gitweb-standalone-parse-output.sh
+++ b/t/t9502-gitweb-standalone-parse-output.sh
@@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
 	test_cmp expected actual
 '
 
+xss() {
+	echo >&2 "Checking $1..." &&
+	gitweb_run "$1" &&
+	if grep "$TAG" gitweb.body; then
+		echo >&2 "xss: $TAG should have been quoted in output"
+		return 1
+	fi
+	return 0
+}
+
+test_expect_success 'xss checks' '
+	TAG="<magic-xss-tag>" &&
+	xss "a=rss&p=$TAG" &&
+	xss "a=rss&p=foo.git&f=$TAG"
+'
 
 test_done
author	Junio C Hamano <gitster@pobox.com>	2012-11-20 10:37:27 -0800
committer	Junio C Hamano <gitster@pobox.com>	2012-11-20 10:37:27 -0800
commit	79a09bba1cc919f5ea0992db358fb4b14ab2c226 (patch)
tree	40b89ba60b8c8210030eb64e519f0abd1a8ce739 /t
parent	05849c4818342a0e0ecb597fd2452125b00d543e (diff)
parent	0f0ecf68b31303de7cb428554e27d433fe62180e (diff)
download	git-79a09bba1cc919f5ea0992db358fb4b14ab2c226.tar.gz