From: James Moger <james.moger@gitblit.com>
Date: Tue, 4 Nov 2014 22:12:00 +0000 (-0500)
Subject: Whitelist the "target" link attribute in the XSS filter
X-Git-Tag: v1.7.0~1^2~112^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Ftickets%2F16%2F216%2F1;p=gitblit.git

Whitelist the "target" link attribute in the XSS filter
---

diff --git a/releases.moxie b/releases.moxie
index 2bca1a74..d98c2d41 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -18,6 +18,7 @@ r27: {
     - Fix exception when viewing a ticket with a patchset where the integration branch does not exist (issue-521, ticket-212)
     - Fix exception when deleting a repository using the FileTicketService (issue-522, ticket-213)
     - Do not inject team repository permissions as explicit user permissoins when editing a user (issue-462, ticket-214)
+    - Whitelist the target link attribute in the XSS filter (ticket-216)
     changes:
     - Replaced Dagger with Guice (ticket-80)
     - Use release name as root directory in Gitblit GO artifacts (ticket-109)
@@ -41,6 +42,7 @@ r27: {
     - Florian Zschocke
     - Paul Martin
     - razzard
+    - Alexander Zabluda
 }
 
 #
diff --git a/src/main/java/com/gitblit/utils/JSoupXssFilter.java b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
index b5ac59f6..aec22411 100644
--- a/src/main/java/com/gitblit/utils/JSoupXssFilter.java
+++ b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
@@ -73,7 +73,7 @@ public class JSoupXssFilter implements XssFilter {
                 "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
                 "ul", "var")
 
-        .addAttributes("a", "class", "href", "style", "title")
+        .addAttributes("a", "class", "href", "style", "target", "title")
         .addAttributes("blockquote", "cite")
         .addAttributes("col", "span", "width")
         .addAttributes("colgroup", "span", "width")