From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Thu, 14 Jan 2016 13:59:37 +0100
Subject: XSS in cgit
In-Reply-To: <56978C56.8010907@hupie.com>
References: <CAHmME9pf_TjMHYiNuqC4fF5i69w+ntV+Rgv_Tt5c2Y7MnCtgKA@mail.gmail.com>
 <20160114105723.GH14056@serenity.lan>
 <CAHmME9qM0boQM2iXdeGMJt2qfBtShb-_yjyetW3YZB_5+Dv_EA@mail.gmail.com>
 <20160114110739.GI14056@serenity.lan> <56978C56.8010907@hupie.com>
Message-ID: <CAHmME9qAgG74+ESbWT0UXYBmRkACE3VgKikcvYRB=rbzZK8gmQ@mail.gmail.com>

I like this idea. The hard part is -- when HTML-serving mode is not
enabled, what mime types do we restrict? Krzysztof - is there a safe
and future-proof list of mimetypes that we can blacklist?