Merge branch 'security-id-email-xss' into 'master'

Escape path in new merge request mail See merge request gitlab/gitlabhq!3066
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-25 10:39:05 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-04-25 10:39:05 +0000
commit: 4c90443bf8a3de14acbd0a87bf9e4d358bcd37df (patch)
tree: 78f13aebbe199b6daa014e1d6785f5671ed1c642
parent: a1d52a3c50c214a2c5ce7fec860f608a4c21680b (diff)
parent: 716e71afde1486e1a01d30c003ef3880fc58acf6 (diff)
download: gitlab-ce-4c90443bf8a3de14acbd0a87bf9e4d358bcd37df.tar.gz
2 files changed, 6 insertions, 1 deletions
diff --git a/app/views/notify/new_merge_request_email.html.haml b/app/views/notify/new_merge_request_email.html.haml
index 77d2e65d285..9ab648e2a64 100644
--- a/app/views/notify/new_merge_request_email.html.haml
+++ b/app/views/notify/new_merge_request_email.html.haml
@@ -3,7 +3,7 @@
     #{link_to @merge_request.author_name, user_url(@merge_request.author)} created a merge request:
 
 %p.details
-  != merge_path_description(@merge_request, '&rarr;')
+  = merge_path_description(@merge_request, '→')
 
 - if @merge_request.assignees.any?
   %p
diff --git a/changelogs/unreleased/security-id-email-xss.yml b/changelogs/unreleased/security-id-email-xss.yml
new file mode 100644
index 00000000000..36c00a70c6a
--- /dev/null
+++ b/changelogs/unreleased/security-id-email-xss.yml
@@ -0,0 +1,5 @@
+---
+title: Escape path in new merge request mail
+merge_request:
+author:
+type: security
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-25 10:39:05 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-04-25 10:39:05 +0000
commit	4c90443bf8a3de14acbd0a87bf9e4d358bcd37df (patch)
tree	78f13aebbe199b6daa014e1d6785f5671ed1c642
parent	a1d52a3c50c214a2c5ce7fec860f608a4c21680b (diff)
parent	716e71afde1486e1a01d30c003ef3880fc58acf6 (diff)
download	gitlab-ce-4c90443bf8a3de14acbd0a87bf9e4d358bcd37df.tar.gz