From mboxrd@z Thu Jan  1 00:00:00 1970
From: valentin.haenel at gmx.de (Valentin Haenel)
Date: Tue, 30 Oct 2012 10:54:38 +0100
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
In-Reply-To: <20121029123817.GF17370@kudu.in-berlin.de>
References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de>
 <1350894558-24840-2-git-send-email-valentin.haenel@gmx.de>
 <k6i03d$mp0$3@ger.gmane.org>
 <CAHmME9pLPBK0wM4aW=cr3fJ6aHHwMnw2vQnnNznajJ0zcXBB2A@mail.gmail.com>
 <20121029123817.GF17370@kudu.in-berlin.de>
Message-ID: <20121030095438.GA9768@kudu.in-berlin.de>

* Valentin Haenel <valentin.haenel at gmx.de> [2012-10-29]:
> * Jason A. Donenfeld <Jason at zx2c4.com> [2012-10-28]:
> > On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <mathstuf at gmail.com> wrote:
> > >> +             cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'",
> > >> +                                     ctx->repo->name, ctx->env.remote_user));
> > 
> > XSS.
> 
> Would it be enough to use 'html_txt' from html.c:
> 
> http://git.zx2c4.com/cgit/tree/html.c#n92
> 
> to prevent this?

After further investigation, I discovered that 'cgit_print_error' does
'html_txt' to do the escaping:

http://git.zx2c4.com/cgit/tree/ui-shared.c#n30'

V-