Matt McCutchen 7e1100e9e9 gitweb: add $prevent_xss option to prevent XSS by repository content ...

Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain.  Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.

The XSS prevention is currently off by default.

Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

2009-02-08 21:51:25 -08:00

180 KiB

Executable File

Raw Blame History

View Raw