Low Description
For Fisheye indexed changesets committed by a committer with special characters in his/her name (e.g. </a><script>alert('f')</script> user <alerted2@example.com> ) the link to this committer's commits would not work, page would render error.
It seems that the link is encoded properly, for the above example it is:
./committer/cs/%3C%2Fa%3E%3Cscript%3Ealert%28%27f%27%29%3C%2Fscript%3E%20user%20%3Calerted2%40example.com%3E
but the page rendering it incorrectly decodes committer name as < and failing to find it renders error:
The requested resource cannot be found.
Committer < does not exist in repository cs
This was identified by rstephens when reviewing FECRU-2624, see https://extranet.atlassian.com/crucible/cru/CR-FE-6991#c74313.
In order to reproduce:
- commit a change as a committer with username of </a><script>alert('f')</script> user <alerted2@example.com>, ensure this gets indexed by FishEye
- navigate to activity page of the repository the change was checked into
- find the committer name in the activity pane and click on it. Although the URL is encoded properly, expect error message mentioned above