diff options
author | Jacob Schatz <jschatz@gitlab.com> | 2017-12-15 20:30:11 +0000 |
---|---|---|
committer | Tiago Botelho <tiago@gitlab.com> | 2018-01-08 13:30:39 +0000 |
commit | e629ec77b952a378445c02a0d439aa59e7d45d56 (patch) | |
tree | ccc9b36564b7c8758f5faeafba93200b37e31798 | |
parent | 6ae148195c61378e1f43f18216205821de1fd2af (diff) | |
download | gitlab-ce-e629ec77b952a378445c02a0d439aa59e7d45d56.tar.gz |
Merge branch 'label-xss-security' into 'security-10-2'
[10.2] Fix XSS in issue label dropdown
See merge request gitlab/gitlabhq!2251
(cherry picked from commit df15b14521c46aaad5805ae90aa04739d78eec63)
6d693d09 Fix XSS in issue label dropdown
-rw-r--r-- | app/assets/javascripts/labels_select.js | 2 | ||||
-rw-r--r-- | spec/features/issues/issue_sidebar_spec.rb | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index f7a1c9f1e40..664e793fc8e 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -231,7 +231,7 @@ export default class LabelsSelect { selectedClass.push('label-item'); $a.attr('data-label-id', label.id); } - $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title); + $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`); // Return generated html return $li.html($a).prop('outerHTML'); }, diff --git a/spec/features/issues/issue_sidebar_spec.rb b/spec/features/issues/issue_sidebar_spec.rb index a9de52bd8d5..02ad7a5e27b 100644 --- a/spec/features/issues/issue_sidebar_spec.rb +++ b/spec/features/issues/issue_sidebar_spec.rb @@ -8,6 +8,7 @@ feature 'Issue Sidebar' do let(:issue) { create(:issue, project: project) } let!(:user) { create(:user)} let!(:label) { create(:label, project: project, title: 'bug') } + let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') } before do sign_in(user) @@ -99,6 +100,14 @@ feature 'Issue Sidebar' do restore_window_size open_issue_sidebar end + + it 'escapes XSS when viewing issue labels' do + page.within('.block.labels') do + find('.edit-link').click + + expect(page).to have_content '<script>alert("xss");</script>' + end + end end context 'editing issue labels', :js do |