diff options
author | Robert Speicher <robert@gitlab.com> | 2017-05-03 14:28:46 +0000 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2017-05-04 20:08:13 +0800 |
commit | 8040e336513dfedd526c3f2caaba84a83d161d52 (patch) | |
tree | 00193884523399f8d8a9a85c7199f0aa7306c638 | |
parent | bca874dfbdcfb6bdd751a07b365995007118fc90 (diff) | |
download | gitlab-ce-8040e336513dfedd526c3f2caaba84a83d161d52.tar.gz |
Merge branch 'branch-name-escape' into 'security'
Fix XSS in branches dropdown
See merge request !2093
-rw-r--r-- | app/assets/javascripts/gl_dropdown.js | 2 | ||||
-rw-r--r-- | changelogs/unreleased/branch-name-escape.yml | 4 | ||||
-rw-r--r-- | spec/javascripts/gl_dropdown_spec.js | 20 |
3 files changed, 19 insertions, 7 deletions
diff --git a/app/assets/javascripts/gl_dropdown.js b/app/assets/javascripts/gl_dropdown.js index a03f1202a6d..5511a7b676d 100644 --- a/app/assets/javascripts/gl_dropdown.js +++ b/app/assets/javascripts/gl_dropdown.js @@ -584,7 +584,7 @@ GitLabDropdown = (function() { var link = document.createElement('a'); link.href = url; - link.innerHTML = text; + link.textContent = text; if (selected) { link.className = 'is-active'; diff --git a/changelogs/unreleased/branch-name-escape.yml b/changelogs/unreleased/branch-name-escape.yml new file mode 100644 index 00000000000..bf46235fd79 --- /dev/null +++ b/changelogs/unreleased/branch-name-escape.yml @@ -0,0 +1,4 @@ +--- +title: Fixed branches dropdown rendering branch names as HTML +merge_request: +author: diff --git a/spec/javascripts/gl_dropdown_spec.js b/spec/javascripts/gl_dropdown_spec.js index c207fb00a47..42c6e328fac 100644 --- a/spec/javascripts/gl_dropdown_spec.js +++ b/spec/javascripts/gl_dropdown_spec.js @@ -52,12 +52,8 @@ require('~/lib/utils/url_utility'); search: { fields: ['name'] }, - text: (project) => { - (project.name_with_namespace || project.name); - }, - id: (project) => { - project.id; - } + text: project => (project.name_with_namespace || project.name), + id: project => project.id }); } @@ -80,6 +76,18 @@ require('~/lib/utils/url_utility'); expect(this.dropdownContainerElement).toHaveClass('open'); }); + it('escapes HTML as text', () => { + this.projectsData[0].name_with_namespace = '<script>alert("testing");</script>'; + + initDropDown.call(this, false); + + this.dropdownButtonElement.click(); + + expect( + $('.dropdown-content li:first-child').text(), + ).toBe('<script>alert("testing");</script>'); + }); + describe('that is open', () => { beforeEach(() => { initDropDown.call(this, false, false); |