diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:36:03 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:36:28 +0000 |
commit | 26c1050566d018fe2f13a5deb86ee2ec5ab83ac8 (patch) | |
tree | 6f310d6b3152585e411f9c90e57afbc150285950 | |
parent | f6e5489b661c8c139c4891f5c1dfd7d77b3a827d (diff) | |
download | gitlab-ce-26c1050566d018fe2f13a5deb86ee2ec5ab83ac8.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee
5 files changed, 15 insertions, 4 deletions
diff --git a/app/assets/javascripts/notebook/cells/output/html.vue b/app/assets/javascripts/notebook/cells/output/html.vue index ca02ee18dd1..2d1d8845e41 100644 --- a/app/assets/javascripts/notebook/cells/output/html.vue +++ b/app/assets/javascripts/notebook/cells/output/html.vue @@ -30,6 +30,9 @@ export default { }, safeHtmlConfig: { ADD_TAGS: ['use'], // to support icon SVGs + FORBID_TAGS: ['style'], + FORBID_ATTR: ['style'], + ALLOW_DATA_ATTR: false, }, }; </script> diff --git a/app/views/devise/confirmations/new.html.haml b/app/views/devise/confirmations/new.html.haml index eee223ff63c..2ae950f3b0d 100644 --- a/app/views/devise/confirmations/new.html.haml +++ b/app/views/devise/confirmations/new.html.haml @@ -6,7 +6,7 @@ = render "devise/shared/error_messages", resource: resource .form-group = f.label :email - = f.email_field :email, class: "form-control gl-form-input", required: true, title: _('Please provide a valid email address.'), value: nil + = f.email_field :email, class: "form-control gl-form-input", required: true, autocomplete: 'off', title: _('Please provide a valid email address.'), value: nil %div - if recaptcha_enabled? diff --git a/app/views/devise/passwords/new.html.haml b/app/views/devise/passwords/new.html.haml index 7bbde4a39c7..d5372862128 100644 --- a/app/views/devise/passwords/new.html.haml +++ b/app/views/devise/passwords/new.html.haml @@ -5,7 +5,7 @@ = render "devise/shared/error_messages", resource: resource .form-group = f.label :email - = f.email_field :email, class: "form-control gl-form-input", required: true, value: params[:user_email], autofocus: true, title: _('Please provide a valid email address.') + = f.email_field :email, class: "form-control gl-form-input", required: true, autocomplete: 'off', value: params[:user_email], autofocus: true, title: _('Please provide a valid email address.') .form-text.text-muted = _('Requires your primary GitLab email address.') diff --git a/app/views/groups/_import_group_from_another_instance_panel.html.haml b/app/views/groups/_import_group_from_another_instance_panel.html.haml index 06a86c2465f..3b079ea00b7 100644 --- a/app/views/groups/_import_group_from_another_instance_panel.html.haml +++ b/app/views/groups/_import_group_from_another_instance_panel.html.haml @@ -26,6 +26,7 @@ = s_('GroupsNew|Navigate to user settings to find your %{link_start}personal access token%{link_end}.').html_safe % { link_start: pat_link_start, link_end: '</a>'.html_safe } = f.text_field :bulk_import_gitlab_access_token, placeholder: s_('GroupsNew|e.g. h8d3f016698e...'), class: 'gl-form-input gl-mt-3 col-xs-12 col-sm-8', required: true, + autocomplete: 'off', title: s_('GroupsNew|Please fill in your personal access token.'), id: 'import_gitlab_token', data: { qa_selector: 'import_gitlab_token' } diff --git a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js index 803ac4a219d..70c7f56b62f 100644 --- a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js +++ b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js @@ -16,13 +16,20 @@ export default [ 'text/html table', { input: [ - '<table>\n', + '<style type="text/css">\n', + '\n', + 'body {\n', + ' background: red;\n', + '}\n', + '\n', + '</style>\n', + '<table data-myattr="XSS">\n', '<tr>\n', '<th>Header 1</th>\n', '<th>Header 2</th>\n', '</tr>\n', '<tr>\n', - '<td>row 1, cell 1</td>\n', + '<td style="background: red;">row 1, cell 1</td>\n', '<td>row 1, cell 2</td>\n', '</tr>\n', '<tr>\n', |