Remove persistent XSS vulnerability in `commit_person_link` helper

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948

3 files changed, 5 insertions, 2 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 7b0e5e9ce25..de1c6006fab 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
+v 8.3.8
+  - Remove persistent XSS vulnerability in `commit_person_link` helper
+
 v 8.3.7
   - Fix a 2FA authentication spoofing vulnerability.
 
diff --git a/app/helpers/commits_helper.rb b/app/helpers/commits_helper.rb
index 590d20ac7b3..28bcd621e5f 100644
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -152,7 +152,7 @@ module CommitsHelper
 
     options = {
       class: "commit-#{options[:source]}-link has_tooltip",
-      data: { :'original-title' => sanitize(source_email) }
+      title: source_email
     }
 
     if user.nil?
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 77ba612548a..9da09955c75 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -40,7 +40,7 @@ module ProjectsHelper
       link_to(author_html, user_path(author), class: "author_link").html_safe
     else
       title = opts[:title].sub(":name", sanitize(author.name))
-      link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { :'original-title' => title, container: 'body' } ).html_safe
+      link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
     end
   end