Fix HTML injection for label description

5 files changed, 29 insertions, 3 deletions

diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb
index db4f29cd996..bed6eb90209 100644
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -72,7 +72,7 @@ module LabelsHelper
   end
 
   def label_tooltip_title(label)
-    label.description
+    Sanitize.clean(label.description)
   end
 
   def suggested_colors
diff --git a/app/models/label.rb b/app/models/label.rb
index b83e0862bab..b86d4aa84ff 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -193,7 +193,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -254,7 +258,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
 
diff --git a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
new file mode 100644
index 00000000000..07124ac399b
--- /dev/null
+++ b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
@@ -0,0 +1,5 @@
+---
+title: Fix HTML injection for label description
+merge_request:
+author:
+type: security
diff --git a/spec/helpers/labels_helper_spec.rb b/spec/helpers/labels_helper_spec.rb
index 314305d7a8e..5892113c4d8 100644
--- a/spec/helpers/labels_helper_spec.rb
+++ b/spec/helpers/labels_helper_spec.rb
@@ -296,4 +296,14 @@ describe LabelsHelper do
       it { is_expected.to eq('Subscribe at group level') }
     end
   end
+
+  describe '#label_tooltip_title' do
+    let(:html) { '<img src="example.png">This is an image</img>' }
+    let(:label_with_html_content) { create(:label, title: 'test', description: html) }
+
+    it 'removes HTML' do
+      tooltip = label_tooltip_title(label_with_html_content)
+      expect(tooltip).to eq('This is an image')
+    end
+  end
 end
diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb
index 5174c590a10..c182e693ca7 100644
--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@@ -84,6 +84,13 @@ describe Label do
     end
   end
 
+  describe '#description' do
+    it 'sanitizes description' do
+      label = described_class.new(description: '<b>foo & bar?</b>')
+      expect(label.description).to eq('foo & bar?')
+    end
+  end
+
   describe 'priorization' do
     subject(:label) { create(:label) }