From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 14 Jan 2016 12:01:57 +0100 Subject: XSS in cgit In-Reply-To: <20160114105723.GH14056@serenity.lan> References: <20160114105723.GH14056@serenity.lan> Message-ID: On Thu, Jan 14, 2016 at 11:57 AM, John Keeping wrote: > I wonder if we should just drop support for the "mimetype" query > parameter and see if anyone complains. In general, I would expect it to > be the server's responsibility to decide on the type of its output and > allowing the client to override it seems like a problem in general. Agreed here. We still have the other issue of git repos containing valid html with malicious scripts and whatnot, though. Can we simply kill the feature of allowing HTML to be served from cgit? This would indeed fix the security issue in the best way. But would folks complain?