From dfaf1fc1f6d8214bcabb9a613d53d0f0dc45352c Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 07 Sep 2014 11:43:33 -0400
Subject: [PATCH] XSS sanitize standard page url parameters

---
 src/main/java/com/gitblit/tickets/QueryBuilder.java |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/main/java/com/gitblit/tickets/QueryBuilder.java b/src/main/java/com/gitblit/tickets/QueryBuilder.java
index 17aeb98..0a6d0e9 100644
--- a/src/main/java/com/gitblit/tickets/QueryBuilder.java
+++ b/src/main/java/com/gitblit/tickets/QueryBuilder.java
@@ -201,6 +201,12 @@
 				q = q.substring(1, q.length() - 1);
 			}
 		}
+		if (q.startsWith("AND ")) {
+			q = q.substring(3).trim();
+		}
+		if (q.startsWith("OR ")) {
+			q = q.substring(2).trim();
+		}
 		return q;
 	}
 

--
Gitblit v1.9.1