Apply the relaxed XSS filter to Markdown commit messages

author James Moger <james.moger@gitblit.com>

Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)

committer James Moger <james.moger@gitblit.com>

Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)
author James Moger <james.moger@gitblit.com>
Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)
committer James Moger <james.moger@gitblit.com>
Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)
diff --git a/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java b/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java

index 253c4fe4c278877b8663ac7842719f2664d74795..2bd9dc6c946071b256eb5e43cada69de0e715731 100644 (file)
--- a/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
@@ -550,7 +550,8 @@ public abstract class RepositoryPage extends RootPage {
                 String html;\r
                 switch (model.commitMessageRenderer) {\r
                 case MARKDOWN:\r
-                       html = MessageFormat.format("<div class='commit_message'>{0}</div>", content);\r
+                       String safeContent = app().xssFilter().relaxed(content);\r
+                       html = MessageFormat.format("<div class='commit_message'>{0}</div>", safeContent);\r
                         break;\r
                 default:\r
                         html = MessageFormat.format("<pre class='commit_message'>{0}</pre>", content);\r
author	James Moger <james.moger@gitblit.com>
	Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)
committer	James Moger <james.moger@gitblit.com>
	Sun, 7 Sep 2014 15:52:53 +0000 (11:52 -0400)