Skip to content

XSS injection on branch names

ZD: https://gitlab.zendesk.com/agent/tickets/19595

Description

XSS injection: naming a branch: ");alert(1);console.log(" including the quotes around it, then going to the commits page of this branch causes the alert to be displayed. This is due to the CommitsList.init() call that's made on that page, which allows any name to be inserted there without filtering that I can see.

/cc @rspeicher