diff options
author | Jacob Schatz <jschatz@gitlab.com> | 2017-12-15 20:29:53 +0000 |
---|---|---|
committer | Oswaldo Ferreira <oswaldo@gitlab.com> | 2018-01-07 21:11:22 +0000 |
commit | 6c5bc18be9eaa294f5c5542d2f1c112b7a9df91e (patch) | |
tree | bd08eb45cac5685bacbb438807d903c43895775d | |
parent | 64a70d38d15674a7eef9762ae0e30ac5a79e4f95 (diff) | |
download | gitlab-ce-6c5bc18be9eaa294f5c5542d2f1c112b7a9df91e.tar.gz |
Merge branch 'label-xss-10-3' into 'security-10-3'
[10.3] Fix XSS in issue label dropdown
See merge request gitlab/gitlabhq!2253
(cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360)
ea1fb0ea Fix XSS in issue label dropdown
-rw-r--r-- | app/assets/javascripts/labels_select.js | 2 | ||||
-rw-r--r-- | spec/features/issues/issue_sidebar_spec.rb | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index f7a1c9f1e40..664e793fc8e 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -231,7 +231,7 @@ export default class LabelsSelect { selectedClass.push('label-item'); $a.attr('data-label-id', label.id); } - $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title); + $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`); // Return generated html return $li.html($a).prop('outerHTML'); }, diff --git a/spec/features/issues/issue_sidebar_spec.rb b/spec/features/issues/issue_sidebar_spec.rb index a9de52bd8d5..02ad7a5e27b 100644 --- a/spec/features/issues/issue_sidebar_spec.rb +++ b/spec/features/issues/issue_sidebar_spec.rb @@ -8,6 +8,7 @@ feature 'Issue Sidebar' do let(:issue) { create(:issue, project: project) } let!(:user) { create(:user)} let!(:label) { create(:label, project: project, title: 'bug') } + let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') } before do sign_in(user) @@ -99,6 +100,14 @@ feature 'Issue Sidebar' do restore_window_size open_issue_sidebar end + + it 'escapes XSS when viewing issue labels' do + page.within('.block.labels') do + find('.edit-link').click + + expect(page).to have_content '<script>alert("xss");</script>' + end + end end context 'editing issue labels', :js do |