XSS git config with alert
ZD: https://gitlab.zendesk.com/agent/tickets/19595
Reproduced: https://gitlab.com/balameb/sample-two
Description
Fun alert when using git config --global user.email '[email protected]" onmouseover="alert(1)'. After pushing any changes navigate to the specific commit in Gitlab (or main project page) and hover over your username, the alert gets displayed.
There might be some other locations where the git username/email gets displayed, but I suppose your knowledge of where exactly is bigger than mine in that regard(already checked on project->graphs, but since < and > IS filtered out I couldn't get anything to display there).
/cc @DouweM