GitLab 6.6.5 83eb5f32 does not escape in commit messages
Created by: Happy86
It seems like commit messages are not or not properly escaped when displayed in GitLab.
I have not tried injecting JavaScript yet but things like
äare shown as 'ä' if GitLab displays the commit message.
Is this behaviour intended?
System information System: Debian 7.4 Current User: git Using RVM: no Ruby Version: 2.0.0p353 Gem Version: 2.0.14 Bundler Version:1.5.3 Rake Version: 10.1.1
GitLab information Version: 6.6.5 Revision: 83eb5f32 Directory: /home/git/gitlab DB Adapter: postgresql URL: https://$FQDN HTTP Clone URL: https://$FQDN/some-project.git SSH Clone URL: git@$FQDN:some-project.git Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 1.8.0 Repositories: /home/git/repositories Hooks: /home/git/gitlab-shell/hooks/ Git: /usr/bin/git