From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 14 Jan 2016 13:59:37 +0100 Subject: XSS in cgit In-Reply-To: <56978C56.8010907@hupie.com> References: <20160114105723.GH14056@serenity.lan> <20160114110739.GI14056@serenity.lan> <56978C56.8010907@hupie.com> Message-ID: I like this idea. The hard part is -- when HTML-serving mode is not enabled, what mime types do we restrict? Krzysztof - is there a safe and future-proof list of mimetypes that we can blacklist?