From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/tickets/QueryBuilder.java |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/main/java/com/gitblit/tickets/QueryBuilder.java b/src/main/java/com/gitblit/tickets/QueryBuilder.java
index 17aeb98..0a6d0e9 100644
--- a/src/main/java/com/gitblit/tickets/QueryBuilder.java
+++ b/src/main/java/com/gitblit/tickets/QueryBuilder.java
@@ -201,6 +201,12 @@
 				q = q.substring(1, q.length() - 1);
 			}
 		}
+		if (q.startsWith("AND ")) {
+			q = q.substring(3).trim();
+		}
+		if (q.startsWith("OR ")) {
+			q = q.substring(2).trim();
+		}
 		return q;
 	}
 

--
Gitblit v1.9.1