---
title: "GitLab not affected by Redcarpet XSS vulnerability"
date: 2015-04-09
categories: company
author: Douwe Maan
author_twitter: DouweM
---

Two days ago, Daniel LeCheminant released a
[blog post describing a potential cross-site scripting vulnerability in the Redcarpet Markdown library](http://danlec.com/blog/bug-in-sundown-and-redcarpet).
GitLab is not affected by this vulnerability.

<!-- more -->

## Background

The vulnerability affects applications that send the HTML that is output by
the Redcarpet Markdown library directly to the user's browser.
GitLab takes the output through an extra step of HTML sanitization, which
strips out potentially dangerous code, like `onclick` attributes that can
execute JavaScript.

Please contact us at support at gitlab.com if you have any questions about this issue.