Merge branch 'security-id-email-xss-11-10' into '11-10-stable'

Escape path in new merge request mail See merge request gitlab/gitlabhq!3068
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-25 10:38:58 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-25 10:38:58 +0000
commit: c2c657982ec80ae4efd493e80082c43480da3fef (patch)
tree: c81fff30b9dfe66a362fd174d31c0cf3bbb7967f
parent: a101152320d86b74d620be2261b165ae086f1ed6 (diff)
parent: 25fc75f33a4cafb2cfce1f58be2f82d1422cba07 (diff)
download: gitlab-ce-c2c657982ec80ae4efd493e80082c43480da3fef.tar.gz
2 files changed, 6 insertions, 1 deletions
diff --git a/app/views/notify/new_merge_request_email.html.haml b/app/views/notify/new_merge_request_email.html.haml
index db23447dd39..78de5548dad 100644
--- a/app/views/notify/new_merge_request_email.html.haml
+++ b/app/views/notify/new_merge_request_email.html.haml
@@ -3,7 +3,7 @@
     #{link_to @merge_request.author_name, user_url(@merge_request.author)} created a merge request:
 
 %p.details
-  != merge_path_description(@merge_request, '&rarr;')
+  = merge_path_description(@merge_request, '→')
 
 - if @merge_request.assignee_id.present?
   %p
diff --git a/changelogs/unreleased/security-id-email-xss.yml b/changelogs/unreleased/security-id-email-xss.yml
new file mode 100644
index 00000000000..36c00a70c6a
--- /dev/null
+++ b/changelogs/unreleased/security-id-email-xss.yml
@@ -0,0 +1,5 @@
+---
+title: Escape path in new merge request mail
+merge_request:
+author:
+type: security
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-25 10:38:58 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-25 10:38:58 +0000
commit	c2c657982ec80ae4efd493e80082c43480da3fef (patch)
tree	c81fff30b9dfe66a362fd174d31c0cf3bbb7967f
parent	a101152320d86b74d620be2261b165ae086f1ed6 (diff)
parent	25fc75f33a4cafb2cfce1f58be2f82d1422cba07 (diff)
download	gitlab-ce-c2c657982ec80ae4efd493e80082c43480da3fef.tar.gz