diff options
| author | Jarka Košanová <jarka@gitlab.com> | 2018-12-12 19:28:31 +0100 |
|---|---|---|
| committer | Jarka Košanová <jarka@gitlab.com> | 2018-12-12 19:30:13 +0100 |
| commit | a1d69ab6b86b93e600bdd90190f0a7d574992e91 (patch) | |
| tree | 79a00ff01e735fdd5bb159d4ba59f79b04cfde5e | |
| parent | 7b1ea8cae2d43498f2eff02ead21977a90822ce1 (diff) | |
| download | gitlab-ce-a1d69ab6b86b93e600bdd90190f0a7d574992e91.tar.gz | |
Escape html entities when no label found
| -rw-r--r-- | changelogs/unreleased/54427-label-xss.yml | 5 | ||||
| -rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 6 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/label_reference_filter_spec.rb | 18 |
3 files changed, 28 insertions, 1 deletions
diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml new file mode 100644 index 00000000000..090d1832af2 --- /dev/null +++ b/changelogs/unreleased/54427-label-xss.yml @@ -0,0 +1,5 @@ +--- +title: Escape html entities in LabelReferenceFilter when no label found +merge_request: +author: +type: security diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index 04ec38209c7..f90a35952e5 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -29,7 +29,7 @@ module Banzai if label yield match, label.id, project, namespace, $~ else - match + escape_html_entities(match) end end end @@ -102,6 +102,10 @@ module Banzai CGI.unescapeHTML(text.to_s) end + def escape_html_entities(text) + CGI.escapeHTML(text.to_s) + end + def object_link_title(object, matches) # use title of wrapped element instead nil diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 00257ed7904..9cfdb9e53a2 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -236,6 +236,24 @@ describe Banzai::Filter::LabelReferenceFilter do end end + context 'References with html entities' do + let!(:label) { create(:label, name: '<html>', project: project) } + + it 'links to a valid reference' do + doc = reference_filter('See ~"<html>"') + + expect(doc.css('a').first.attr('href')).to eq urls + .project_issues_url(project, label_name: label.name) + expect(doc.text).to eq 'See <html>' + end + + it 'ignores invalid label names and escapes entities' do + act = %(Label #{Label.reference_prefix}"<non valid>") + + expect(reference_filter(act).to_html).to eq act + end + end + describe 'consecutive references' do let(:bug) { create(:label, name: 'bug', project: project) } let(:feature_proposal) { create(:label, name: 'feature proposal', project: project) } |