Remove XSS vulnerability in Label and Milestone dropdowns

author: Robert Speicher <rspeicher@gmail.com> 2016-04-19 13:41:08 -0400
committer: Robert Speicher <rspeicher@gmail.com> 2016-04-19 13:41:08 -0400
commit: 8de18d417d43807fe329082c0666813af7c3d9ea (patch)
tree: e3df0ccfa1d569217607d89b3e852cfd4b7952e4
parent: 55380e69fcd070751a26e368da55968fa3f57419 (diff)
download: gitlab-ce-8de18d417d43807fe329082c0666813af7c3d9ea.tar.gz
2 files changed, 7 insertions, 7 deletions
diff --git a/app/assets/javascripts/labels_select.js.coffee b/app/assets/javascripts/labels_select.js.coffee
index bc80980acb7..1131492b7ae 100644
--- a/app/assets/javascripts/labels_select.js.coffee
+++ b/app/assets/javascripts/labels_select.js.coffee
@@ -33,13 +33,13 @@ class @LabelsSelect
       if issueUpdateURL
         labelHTMLTemplate = _.template(
             '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= label.title %>">
-            <span class="label has-tooltip color-label" title="<%= label.description %>" style="background-color: <%= label.color %>;">
-            <%= label.title %>
+            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= _.escape(label.title) %>">
+            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>;">
+            <%= _.escape(label.title) %>
             </span>
             </a>
             <% }); %>'
-        );
+        )
         labelNoneHTMLTemplate = _.template('<div class="light">None</div>')
 
       if newLabelField.length and $dropdown.hasClass 'js-extra-options'
@@ -211,7 +211,7 @@ class @LabelsSelect
           "<li>
             <a href='#' class='#{selectedClass}'>
               #{color}
-              #{label.title}
+              #{_.escape(label.title)}
             </a>
           </li>"
         filterable: true
diff --git a/app/assets/javascripts/milestone_select.js.coffee b/app/assets/javascripts/milestone_select.js.coffee
index 6bd4e885a03..04fd5cf37bd 100644
--- a/app/assets/javascripts/milestone_select.js.coffee
+++ b/app/assets/javascripts/milestone_select.js.coffee
@@ -24,7 +24,7 @@ class @MilestoneSelect
 
       if issueUpdateURL
         milestoneLinkTemplate = _.template(
-          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= title %></a>'
+          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= _.escape(title) %></a>'
         )
 
         milestoneLinkNoneTemplate = '<div class="light">None</div>'
@@ -71,7 +71,7 @@ class @MilestoneSelect
             defaultLabel
         fieldName: $dropdown.data('field-name')
         text: (milestone) ->
-          milestone.title
+          _.escape(milestone.title)
         id: (milestone) ->
           if !useId
             milestone.name
author	Robert Speicher <rspeicher@gmail.com>	2016-04-19 13:41:08 -0400
committer	Robert Speicher <rspeicher@gmail.com>	2016-04-19 13:41:08 -0400
commit	8de18d417d43807fe329082c0666813af7c3d9ea (patch)
tree	e3df0ccfa1d569217607d89b3e852cfd4b7952e4
parent	55380e69fcd070751a26e368da55968fa3f57419 (diff)
download	gitlab-ce-8de18d417d43807fe329082c0666813af7c3d9ea.tar.gz