From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/servlet/DownloadZipFilter.java |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/gitblit/servlet/DownloadZipFilter.java b/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
index 0c7b3e5..42257a2 100644
--- a/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
+++ b/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
@@ -38,11 +38,14 @@
 	@Override
 	protected String extractRepositoryName(String url) {
 		int a = url.indexOf("r=");
-		String repository = url.substring(a + 2);
-		if (repository.indexOf('&') > -1) {
-			repository = repository.substring(0, repository.indexOf('&'));
+		if (a > -1) {
+			String repository = url.substring(a + 2);
+			if (repository.indexOf('&') > -1) {
+				repository = repository.substring(0, repository.indexOf('&'));
+			}
+			return repository;
 		}
-		return repository;
+		return null;
 	}
 
 	/**

--
Gitblit v1.9.1