From mboxrd@z Thu Jan  1 00:00:00 1970
From: john at keeping.me.uk (John Keeping)
Date: Sun, 12 Jan 2014 22:17:43 +0000
Subject: [PATCH 1/3] ui-refs: escape HTML chars in author and tagger names
In-Reply-To: <CAHmME9r4KOqJ-o-9w1zPtOe4DP5fYqRs=CFNh=Ru5Hp2U4hsog@mail.gmail.com>
References: <432e1f40c0d887db602ec9411ae16c45896a54f5.1389555852.git.john@keeping.me.uk>
 <CAHmME9r4KOqJ-o-9w1zPtOe4DP5fYqRs=CFNh=Ru5Hp2U4hsog@mail.gmail.com>
Message-ID: <20140112221743.GV7608@serenity.lan>

On Sun, Jan 12, 2014 at 11:02:01PM +0100, Jason A. Donenfeld wrote:
> Same question here -- XSS potential?

This is the one that worries me.  But actually, Git strips "<", ">" and
"\n" from GIT_*_NAME, so the question becomes whether we can manually
construct a Git object to exploit this.

I think the parsing.c::parse_user() function then saves us by stopping
the name as soon as it hits "<".  So there cannot be any way to insert
HTML elements here.