Apr 9, 2015 - Douwe Maan

GitLab not affected by Redcarpet XSS vulnerability

Two days ago, Daniel LeCheminant released a blog post describing a potential cross-site scripting vulnerability in the Redcarpet Markdown library. GitLab is not affected by this vulnerability.

Background

The vulnerability affects applications that send the HTML that is output by the Redcarpet Markdown library directly to the user's browser. GitLab takes the output through an extra step of HTML sanitization, which strips out potentially dangerous code, like onclick attributes that can execute JavaScript.

Please contact us at support at gitlab.com if you have any questions about this issue.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.