diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-03 14:28:46 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2017-05-10 11:09:05 +0200 |
| commit | c26e9027d31b0735cea438eaa7bf787bc5b6e3a7 (patch) | |
| tree | eed08914bd9705da6f32421fbf3965fadfdefabe | |
| parent | dc54c570efa105df9e59da5dd974496273637811 (diff) | |
| download | gitlab-ce-c26e9027d31b0735cea438eaa7bf787bc5b6e3a7.tar.gz | |
Merge branch 'branch-name-escape' into 'security'
Fix XSS in branches dropdown
See merge request !2093
| -rw-r--r-- | app/assets/javascripts/gl_dropdown.js | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/branch-name-escape.yml | 4 | ||||
| -rw-r--r-- | spec/javascripts/gl_dropdown_spec.js | 20 |
3 files changed, 19 insertions, 7 deletions
diff --git a/app/assets/javascripts/gl_dropdown.js b/app/assets/javascripts/gl_dropdown.js index 0c9eb84f0eb..ef423691ece 100644 --- a/app/assets/javascripts/gl_dropdown.js +++ b/app/assets/javascripts/gl_dropdown.js @@ -610,7 +610,7 @@ GitLabDropdown = (function() { var link = document.createElement('a'); link.href = url; - link.innerHTML = text; + link.textContent = text; if (selected) { link.className = 'is-active'; diff --git a/changelogs/unreleased/branch-name-escape.yml b/changelogs/unreleased/branch-name-escape.yml new file mode 100644 index 00000000000..bf46235fd79 --- /dev/null +++ b/changelogs/unreleased/branch-name-escape.yml @@ -0,0 +1,4 @@ +--- +title: Fixed branches dropdown rendering branch names as HTML +merge_request: +author: diff --git a/spec/javascripts/gl_dropdown_spec.js b/spec/javascripts/gl_dropdown_spec.js index c207fb00a47..42c6e328fac 100644 --- a/spec/javascripts/gl_dropdown_spec.js +++ b/spec/javascripts/gl_dropdown_spec.js @@ -52,12 +52,8 @@ require('~/lib/utils/url_utility'); search: { fields: ['name'] }, - text: (project) => { - (project.name_with_namespace || project.name); - }, - id: (project) => { - project.id; - } + text: project => (project.name_with_namespace || project.name), + id: project => project.id }); } @@ -80,6 +76,18 @@ require('~/lib/utils/url_utility'); expect(this.dropdownContainerElement).toHaveClass('open'); }); + it('escapes HTML as text', () => { + this.projectsData[0].name_with_namespace = '<script>alert("testing");</script>'; + + initDropDown.call(this, false); + + this.dropdownButtonElement.click(); + + expect( + $('.dropdown-content li:first-child').text(), + ).toBe('<script>alert("testing");</script>'); + }); + describe('that is open', () => { beforeEach(() => { initDropDown.call(this, false, false); |