Skip to content
GitLab
Next
Closed
Issue created by Jose Torres@balamebContributor

XSS injection on branch names

ZD: https://gitlab.zendesk.com/agent/tickets/19595

Description

XSS injection: naming a branch: ");alert(1);console.log(" including the quotes around it, then going to the commits page of this branch causes the alert to be displayed. This is due to the CommitsList.init() call that's made on that page, which allows any name to be inserted there without filtering that I can see.

/cc @rspeicher