Merge branch 'label-xss-security' into 'security-10-2'

[10.2] Fix XSS in issue label dropdown

See merge request gitlab/gitlabhq!2251

(cherry picked from commit df15b14521c46aaad5805ae90aa04739d78eec63)

6d693d09 Fix XSS in issue label dropdown

2 files changed, 10 insertions, 1 deletions

diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js
index f7a1c9f1e40..664e793fc8e 100644
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -231,7 +231,7 @@ export default class LabelsSelect {
             selectedClass.push('label-item');
             $a.attr('data-label-id', label.id);
           }
-          $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
+          $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
           // Return generated html
           return $li.html($a).prop('outerHTML');
         },
diff --git a/spec/features/issues/issue_sidebar_spec.rb b/spec/features/issues/issue_sidebar_spec.rb
index a9de52bd8d5..02ad7a5e27b 100644
--- a/spec/features/issues/issue_sidebar_spec.rb
+++ b/spec/features/issues/issue_sidebar_spec.rb
@@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
   let(:issue) { create(:issue, project: project) }
   let!(:user) { create(:user)}
   let!(:label) { create(:label, project: project, title: 'bug') }
+  let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') }
 
   before do
     sign_in(user)
@@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
         restore_window_size
         open_issue_sidebar
       end
+
+      it 'escapes XSS when viewing issue labels' do
+        page.within('.block.labels') do
+          find('.edit-link').click
+
+          expect(page).to have_content '<script>alert("xss");</script>'
+        end
+      end
     end
 
     context 'editing issue labels', :js do