diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 18:53:45 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 18:53:45 +0000 |
commit | 41948c2cf0234bca5b16d5e613f718a9217bd4bb (patch) | |
tree | e8062a11f1bf487c793b919640d02583f08d8689 | |
parent | 27e6daa26411d26e7f5fea2756c022b6da6c5b55 (diff) | |
parent | 88f00c714cc69121b831d0324cfd3d4956529e01 (diff) | |
download | gitlab-ce-41948c2cf0234bca5b16d5e613f718a9217bd4bb.tar.gz |
Merge branch 'security-stored-xss-using-find-file-12-1' into '12-1-stable'
Sanitize search text to prevent XSS
See merge request gitlab/gitlabhq!3471
-rw-r--r-- | app/assets/javascripts/project_find_file.js | 3 | ||||
-rw-r--r-- | changelogs/unreleased/security-stored-xss-using-find-file.yml | 5 |
2 files changed, 7 insertions, 1 deletions
diff --git a/app/assets/javascripts/project_find_file.js b/app/assets/javascripts/project_find_file.js index 60d3d83a4b2..bd5ab4f9ec4 100644 --- a/app/assets/javascripts/project_find_file.js +++ b/app/assets/javascripts/project_find_file.js @@ -5,6 +5,7 @@ import fuzzaldrinPlus from 'fuzzaldrin-plus'; import axios from '~/lib/utils/axios_utils'; import flash from '~/flash'; import { __ } from '~/locale'; +import sanitize from 'sanitize-html'; // highlight text(awefwbwgtc -> <b>a</b>wefw<b>b</b>wgt<b>c</b> ) const highlighter = function(element, text, matches) { @@ -75,7 +76,7 @@ export default class ProjectFindFile { findFile() { var result, searchText; - searchText = this.inputElement.val(); + searchText = sanitize(this.inputElement.val()); result = searchText.length > 0 ? fuzzaldrinPlus.filter(this.filePaths, searchText) : this.filePaths; return this.renderList(result, searchText); diff --git a/changelogs/unreleased/security-stored-xss-using-find-file.yml b/changelogs/unreleased/security-stored-xss-using-find-file.yml new file mode 100644 index 00000000000..41cd2f9494f --- /dev/null +++ b/changelogs/unreleased/security-stored-xss-using-find-file.yml @@ -0,0 +1,5 @@ +--- +title: Sanitize search text to prevent XSS +merge_request: +author: +type: security |