GitBlit is not validating or cleaning the input via request parameters.
Steps to reproduce the problem:
1. Open Firefox (Chrome and IE block most XSS)
2. Login to GitBlit
3. Paste the following url into gitblit (filling in the server and repository info):
An error message stating the input was invalid.
Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp
Reported by 1988porsche944 on 2014-09-05 13:45:05
The text was updated successfully, but these errors were encountered:
An XSS filter based on JSoup has been merged to master & develop.
This filter will strip out all html elements for url parameters and any non-whitelisted
HTML elements from form inputs, markup docs, and optionally commit messages. The whitelist
is based in part on stock JSoup and GitHub's documented html sanitizer.