Skip to content
GitLab Next
Closed
Created by Jose Torres@balamebContributor

XSS injection on branch names

ZD: https://gitlab.zendesk.com/agent/tickets/19595

Description

XSS injection: naming a branch: ");alert(1);console.log(" including the quotes around it, then going to the commits page of this branch causes the alert to be displayed. This is due to the CommitsList.init() call that's made on that page, which allows any name to be inserted there without filtering that I can see.

/cc @rspeicher