gitweb: add $prevent_xss option to prevent XSS by repository content
authorMatt McCutchen <matt@mattmccutchen.net>
Sun, 8 Feb 2009 00:00:09 +0000 (19:00 -0500)
committerJunio C Hamano <gitster@pobox.com>
Mon, 9 Feb 2009 05:51:25 +0000 (21:51 -0800)
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.

The XSS prevention is currently off by default.

Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
No differences found