sanitize user supplied input.abuse-autofill-message

author: Josh Frye <joshfng@gmail.com> 2016-01-12 14:15:59 -0500
committer: Josh Frye <joshfng@gmail.com> 2016-01-12 14:15:59 -0500
commit: 95e76aa0516e5d4e83457dfd80fcee42f6f92b91 (patch)
tree: a7d6baecb5b60bf8e1dfefb1bfc33c89fde7b659
parent: 62aebc8541a164e3935cdeef335659bf4dc97839 (diff)
download: gitlab-ce-abuse-autofill-message.tar.gz
2 files changed, 1 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index df1d281ce28..7dd17251663 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -42,7 +42,6 @@ v 8.4.0 (unreleased)
   - Ajax filter by message for commits page
   - API: Add support for deleting a tag via the API (Robert Schilling)
   - Allow subsequent validations in CI Linter
-  - Autofill referring url in message box when reporting user abuse. (Josh Frye)
 
 v 8.3.4
   - Use gitlab-workhorse 0.5.4 (fixes API routing bug)
diff --git a/app/views/abuse_reports/new.html.haml b/app/views/abuse_reports/new.html.haml
index 8d31182a3e6..f125ecf7be5 100644
--- a/app/views/abuse_reports/new.html.haml
+++ b/app/views/abuse_reports/new.html.haml
@@ -16,7 +16,7 @@
   .form-group
     = f.label :message, class: 'control-label'
     .col-sm-10
-      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: @ref_url
+      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: sanitize(@ref_url)
       .help-block
         Explain the problem with this user. If appropriate, provide a link to the relevant issue or comment.
author	Josh Frye <joshfng@gmail.com>	2016-01-12 14:15:59 -0500
committer	Josh Frye <joshfng@gmail.com>	2016-01-12 14:15:59 -0500
commit	95e76aa0516e5d4e83457dfd80fcee42f6f92b91 (patch)
tree	a7d6baecb5b60bf8e1dfefb1bfc33c89fde7b659
parent	62aebc8541a164e3935cdeef335659bf4dc97839 (diff)
download	gitlab-ce-abuse-autofill-message.tar.gz