Escape path in new merge request mail

author: Igor Drozdov <idrozdov@gitlab.com> 2019-04-16 16:29:37 +0300
committer: Igor Drozdov <idrozdov@gitlab.com> 2019-04-17 17:54:42 +0300
commit: 25fc75f33a4cafb2cfce1f58be2f82d1422cba07 (patch)
tree: a1c944c34a1a47590f02c48e46c1f099857764a2
parent: 5c46af40687ae7529c33211464724f909051eb05 (diff)
download: gitlab-ce-25fc75f33a4cafb2cfce1f58be2f82d1422cba07.tar.gz
2 files changed, 6 insertions, 1 deletions
diff --git a/app/views/notify/new_merge_request_email.html.haml b/app/views/notify/new_merge_request_email.html.haml
index db23447dd39..78de5548dad 100644
--- a/app/views/notify/new_merge_request_email.html.haml
+++ b/app/views/notify/new_merge_request_email.html.haml
@@ -3,7 +3,7 @@
     #{link_to @merge_request.author_name, user_url(@merge_request.author)} created a merge request:
 
 %p.details
-  != merge_path_description(@merge_request, '&rarr;')
+  = merge_path_description(@merge_request, '→')
 
 - if @merge_request.assignee_id.present?
   %p
diff --git a/changelogs/unreleased/security-id-email-xss.yml b/changelogs/unreleased/security-id-email-xss.yml
new file mode 100644
index 00000000000..36c00a70c6a
--- /dev/null
+++ b/changelogs/unreleased/security-id-email-xss.yml
@@ -0,0 +1,5 @@
+---
+title: Escape path in new merge request mail
+merge_request:
+author:
+type: security
author	Igor Drozdov <idrozdov@gitlab.com>	2019-04-16 16:29:37 +0300
committer	Igor Drozdov <idrozdov@gitlab.com>	2019-04-17 17:54:42 +0300
commit	25fc75f33a4cafb2cfce1f58be2f82d1422cba07 (patch)
tree	a1c944c34a1a47590f02c48e46c1f099857764a2
parent	5c46af40687ae7529c33211464724f909051eb05 (diff)
download	gitlab-ce-25fc75f33a4cafb2cfce1f58be2f82d1422cba07.tar.gz