Merge 'dev/master' into master

7 files changed, 56 insertions, 12 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2686d778b09..e625278a796 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,18 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 9.1.3 (2017-05-05)
+
+- Do not show private groups on subgroups page if user doesn't have access to.
+- Enforce project features when searching blobs and wikis.
+- Fixed branches dropdown rendering branch names as HTML.
+- Make Asciidoc & other markup go through pipeline to prevent XSS.
+- Validate URLs in markdown using URI to detect the host correctly.
+- Fix for XSS in project import view caused by Hamlit filter usage.
+- Sanitize submodule URLs before linking to them in the file tree view.
+- Refactor snippets finder & dont return internal snippets for external users.
+- Fix snippets visibility for show action - external users can not see internal snippets.
+
 ## 9.1.2 (2017-05-01)
 
 - Add index on ci_runners.contacted_at. !10876 (blackst0ne)
@@ -276,6 +288,18 @@ entry.
 - Only send chat notifications for the default branch.
 - Don't fill in the default kubernetes namespace.
 
+## 9.0.7 (2017-05-05)
+
+- Enforce project features when searching blobs and wikis.
+- Fixed branches dropdown rendering branch names as HTML.
+- Make Asciidoc & other markup go through pipeline to prevent XSS.
+- Validate URLs in markdown using URI to detect the host correctly.
+- Fix for XSS in project import view caused by Hamlit filter usage.
+- Sanitize submodule URLs before linking to them in the file tree view.
+- Refactor snippets finder & dont return internal snippets for external users.
+- Fix snippets visibility for show action - external users can not see internal snippets.
+- Do not show private groups on subgroups page if user doesn't have access to.
+
 ## 9.0.6 (2017-04-21)
 
 - Bugfix: POST /projects/:id/hooks and PUT /projects/:id/hook/:hook_id no longer ignore the the job_events param in the V4 API. !10586
@@ -620,6 +644,17 @@ entry.
 - Change development tanuki favicon colors to match logo color order.
 - API issues - support filtering by iids.
 
+## 8.17.6 (2017-05-05)
+
+- Enforce project features when searching blobs and wikis.
+- Fixed branches dropdown rendering branch names as HTML.
+- Make Asciidoc & other markup go through pipeline to prevent XSS.
+- Validate URLs in markdown using URI to detect the host correctly.
+- Fix for XSS in project import view caused by Hamlit filter usage.
+- Sanitize submodule URLs before linking to them in the file tree view.
+- Refactor snippets finder & dont return internal snippets for external users.
+- Fix snippets visibility for show action - external users can not see internal snippets.
+
 ## 8.17.5 (2017-04-05)
 
 - Don’t show source project name when user does not have access.
diff --git a/app/assets/javascripts/droplab/constants.js b/app/assets/javascripts/droplab/constants.js
index 8883ed9aa14..868d47e91b3 100644
--- a/app/assets/javascripts/droplab/constants.js
+++ b/app/assets/javascripts/droplab/constants.js
@@ -3,11 +3,14 @@ const DATA_DROPDOWN = 'data-dropdown';
 const SELECTED_CLASS = 'droplab-item-selected';
 const ACTIVE_CLASS = 'droplab-item-active';
 const IGNORE_CLASS = 'droplab-item-ignore';
+// Matches `{{anything}}` and `{{ everything }}`.
+const TEMPLATE_REGEX = /\{\{(.+?)\}\}/g;
 
 export {
   DATA_TRIGGER,
   DATA_DROPDOWN,
   SELECTED_CLASS,
   ACTIVE_CLASS,
+  TEMPLATE_REGEX,
   IGNORE_CLASS,
 };
diff --git a/app/assets/javascripts/droplab/drop_down.js b/app/assets/javascripts/droplab/drop_down.js
index 1fb4d63923c..de3927d683c 100644
--- a/app/assets/javascripts/droplab/drop_down.js
+++ b/app/assets/javascripts/droplab/drop_down.js
@@ -94,7 +94,7 @@ Object.assign(DropDown.prototype, {
   },
 
   renderChildren: function(data) {
-    var html = utils.t(this.templateString, data);
+    var html = utils.template(this.templateString, data);
     var template = document.createElement('div');
 
     template.innerHTML = html;
diff --git a/app/assets/javascripts/droplab/utils.js b/app/assets/javascripts/droplab/utils.js
index c149a33a1e9..4da7344604e 100644
--- a/app/assets/javascripts/droplab/utils.js
+++ b/app/assets/javascripts/droplab/utils.js
@@ -1,19 +1,19 @@
 /* eslint-disable */
 
-import { DATA_TRIGGER, DATA_DROPDOWN } from './constants';
+import { template as _template } from 'underscore';
+import { DATA_TRIGGER, DATA_DROPDOWN, TEMPLATE_REGEX } from './constants';
 
 const utils = {
   toCamelCase(attr) {
     return this.camelize(attr.split('-').slice(1).join(' '));
   },
 
-  t(s, d) {
-    for (const p in d) {
-      if (Object.prototype.hasOwnProperty.call(d, p)) {
-        s = s.replace(new RegExp(`{{${p}}}`, 'g'), d[p]);
-      }
-    }
-    return s;
+  template(templateString, data) {
+    const template = _template(templateString, {
+      escape: TEMPLATE_REGEX,
+    });
+
+    return template(data);
   },
 
   camelize(str) {
diff --git a/app/assets/javascripts/filtered_search/dropdown_hint.js b/app/assets/javascripts/filtered_search/dropdown_hint.js
index 3e7a892756c..5e9434fd48f 100644
--- a/app/assets/javascripts/filtered_search/dropdown_hint.js
+++ b/app/assets/javascripts/filtered_search/dropdown_hint.js
@@ -62,7 +62,7 @@ class DropdownHint extends gl.FilteredSearchDropdown {
           Object.assign({
             icon: `fa-${icon}`,
             hint,
-            tag: `<${tag}>`,
+            tag: `<${tag}>`,
           }, type && { type }),
         );
       }
diff --git a/spec/javascripts/droplab/constants_spec.js b/spec/javascripts/droplab/constants_spec.js
index fd153a49fcd..b9d28db74cc 100644
--- a/spec/javascripts/droplab/constants_spec.js
+++ b/spec/javascripts/droplab/constants_spec.js
@@ -27,6 +27,12 @@ describe('constants', function () {
     });
   });
 
+  describe('TEMPLATE_REGEX', function () {
+    it('should be a handlebars templating syntax regex', function() {
+      expect(constants.TEMPLATE_REGEX).toEqual(/\{\{(.+?)\}\}/g);
+    });
+  });
+
   describe('IGNORE_CLASS', function () {
     it('should be `droplab-item-ignore`', function() {
       expect(constants.IGNORE_CLASS).toBe('droplab-item-ignore');
diff --git a/spec/javascripts/droplab/drop_down_spec.js b/spec/javascripts/droplab/drop_down_spec.js
index 7516b301917..e7786e8cc2c 100644
--- a/spec/javascripts/droplab/drop_down_spec.js
+++ b/spec/javascripts/droplab/drop_down_spec.js
@@ -451,7 +451,7 @@ describe('DropDown', function () {
       this.html = 'html';
       this.template = { firstChild: { outerHTML: 'outerHTML', style: {} } };
 
-      spyOn(utils, 't').and.returnValue(this.html);
+      spyOn(utils, 'template').and.returnValue(this.html);
       spyOn(document, 'createElement').and.returnValue(this.template);
       spyOn(this.dropdown, 'setImagesSrc');
 
@@ -459,7 +459,7 @@ describe('DropDown', function () {
     });
 
     it('should call utils.t with .templateString and data', function () {
-      expect(utils.t).toHaveBeenCalledWith(this.templateString, this.data);
+      expect(utils.template).toHaveBeenCalledWith(this.templateString, this.data);
     });
 
     it('should call document.createElement', function () {