From mboxrd@z Thu Jan  1 00:00:00 1970
From: john at keeping.me.uk (John Keeping)
Date: Sat, 16 Jan 2016 09:38:36 +0000
Subject: XSS in cgit
In-Reply-To: <CAHmME9r5T7TYaB_cYy2qfX5RFwGG7ctYBQrXMyuCKG-kW0YZZw@mail.gmail.com>
References: <CAHmME9pf_TjMHYiNuqC4fF5i69w+ntV+Rgv_Tt5c2Y7MnCtgKA@mail.gmail.com>
 <20160113191100.GA1660@dcvr.yhbt.net>
 <CAHmME9qJA5q_n2-+mRsh6tqNdXtRd5e_28JFFQF4RTKjKHjaxQ@mail.gmail.com>
 <CAHmME9odymyXwoAT2qtuvVciEAdGLK44bzyumRf+yPWaVnJkZQ@mail.gmail.com>
 <7B8B10EF-8DCA-4115-9D33-4DD56F670BAB@klever.net>
 <CAHmME9r5T7TYaB_cYy2qfX5RFwGG7ctYBQrXMyuCKG-kW0YZZw@mail.gmail.com>
Message-ID: <20160116093836.GM14056@serenity.lan>

On Sat, Jan 16, 2016 at 01:23:39AM +0100, Jason A. Donenfeld wrote:
> Thanks for your response. So the use case was in fact quite specific,
> and it seems like our recent treatment of the /plain endpoint handles
> that quite well and in a safe manner too.
> 
> Okay, I feel solid about the change now. Thanks a bunch.

It doesn't look like Michael's email made it to the list.  Would you
mind summarising the use case?