Gitlab is subject to script injection through crafted git commit message

Created by: ebouchut

When displaying a git commit message that contains HTML tags, GitLab does not HTML escape them. The commit message being displayed as HTML, any page that lists the commits is thus subject to javascript injection.

git commit -m '<script type="text/javascript">alert("Here we go...");</script>'

Admin message

Admin message

Gitlab is subject to script injection through crafted git commit message