From b5010f9f54ae2d32cf1c86e7b7129aa2d6633053 Mon Sep 17 00:00:00 2001 From: James Moger Date: Tue, 4 Nov 2014 17:12:00 -0500 Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter --- releases.moxie | 2 ++ src/main/java/com/gitblit/utils/JSoupXssFilter.java | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/releases.moxie b/releases.moxie index 2bca1a74..d98c2d41 100644 --- a/releases.moxie +++ b/releases.moxie @@ -18,6 +18,7 @@ r27: { - Fix exception when viewing a ticket with a patchset where the integration branch does not exist (issue-521, ticket-212) - Fix exception when deleting a repository using the FileTicketService (issue-522, ticket-213) - Do not inject team repository permissions as explicit user permissoins when editing a user (issue-462, ticket-214) + - Whitelist the target link attribute in the XSS filter (ticket-216) changes: - Replaced Dagger with Guice (ticket-80) - Use release name as root directory in Gitblit GO artifacts (ticket-109) @@ -41,6 +42,7 @@ r27: { - Florian Zschocke - Paul Martin - razzard + - Alexander Zabluda } # diff --git a/src/main/java/com/gitblit/utils/JSoupXssFilter.java b/src/main/java/com/gitblit/utils/JSoupXssFilter.java index b5ac59f6..aec22411 100644 --- a/src/main/java/com/gitblit/utils/JSoupXssFilter.java +++ b/src/main/java/com/gitblit/utils/JSoupXssFilter.java @@ -73,7 +73,7 @@ public class JSoupXssFilter implements XssFilter { "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u", "ul", "var") - .addAttributes("a", "class", "href", "style", "title") + .addAttributes("a", "class", "href", "style", "target", "title") .addAttributes("blockquote", "cite") .addAttributes("col", "span", "width") .addAttributes("colgroup", "span", "width") -- 2.39.5