Merge branch 'ticket/164' into develop

author: James Moger <james.moger@gitblit.com> 2014-09-07 12:53:08 -0400
committer: James Moger <james.moger@gitblit.com> 2014-09-07 12:53:08 -0400
commit: f7174e6984c08a153d1ba198c4bffe68c5afd873 (patch)
tree: a4f81f00320a3e962f87714f2e0ee90528beb2e4 /src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
parent: b8a44784ba8b0aaf9a3fbe6321956c0ee0e0451c (diff)
parent: 7fdc298cf06c3d88d4fd9fd158fb4d32edac12a0 (diff)
download: gitblit-f7174e6984c08a153d1ba198c4bffe68c5afd873.tar.gz
gitblit-f7174e6984c08a153d1ba198c4bffe68c5afd873.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java b/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
index 253c4fe4..2bd9dc6c 100644
--- a/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
@@ -550,7 +550,8 @@ public abstract class RepositoryPage extends RootPage {
 		String html;
 		switch (model.commitMessageRenderer) {
 		case MARKDOWN:
-			html = MessageFormat.format("<div class='commit_message'>{0}</div>", content);
+			String safeContent = app().xssFilter().relaxed(content);
+			html = MessageFormat.format("<div class='commit_message'>{0}</div>", safeContent);
 			break;
 		default:
 			html = MessageFormat.format("<pre class='commit_message'>{0}</pre>", content);
author	James Moger <james.moger@gitblit.com>	2014-09-07 12:53:08 -0400
committer	James Moger <james.moger@gitblit.com>	2014-09-07 12:53:08 -0400
commit	f7174e6984c08a153d1ba198c4bffe68c5afd873 (patch)
tree	a4f81f00320a3e962f87714f2e0ee90528beb2e4 /src/main/java/com/gitblit/wicket/pages/RepositoryPage.java
parent	b8a44784ba8b0aaf9a3fbe6321956c0ee0e0451c (diff)
parent	7fdc298cf06c3d88d4fd9fd158fb4d32edac12a0 (diff)
download	gitblit-f7174e6984c08a153d1ba198c4bffe68c5afd873.tar.gz gitblit-f7174e6984c08a153d1ba198c4bffe68c5afd873.zip