diff options
author | Phil Hughes <me@iamphill.com> | 2017-09-26 07:39:37 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-10-12 10:45:06 +0200 |
commit | ae3d80e8e65be0f6f1243dcebe933a4df87692d8 (patch) | |
tree | d6fa1b76bbdc14034eb8b7d153710b38f7a51cee | |
parent | a3b68de7ed1900822bee96e46042ad022f391c55 (diff) | |
download | gitlab-ce-ae3d80e8e65be0f6f1243dcebe933a4df87692d8.tar.gz |
Merge branch 'winh-search-bar-xss-9.5' into 'security-9-5'
Escape user name in filtered search bar
See merge request gitlab/gitlabhq!2195
3 files changed, 29 insertions, 2 deletions
diff --git a/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js b/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js index 243ee4d723a..f4bf7bf0f43 100644 --- a/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js +++ b/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js @@ -123,8 +123,8 @@ class FilteredSearchVisualTokens { /* eslint-disable no-param-reassign */ tokenValueContainer.dataset.originalValue = tokenValue; tokenValueElement.innerHTML = ` - <img class="avatar s20" src="${user.avatar_url}" alt="${user.name}'s avatar"> - ${user.name} + <img class="avatar s20" src="${user.avatar_url}" alt=""> + ${_.escape(user.name)} `; /* eslint-enable no-param-reassign */ }) diff --git a/changelogs/unreleased/winh-search-bar-xss-9-5.yml b/changelogs/unreleased/winh-search-bar-xss-9-5.yml new file mode 100644 index 00000000000..0533fee9b3a --- /dev/null +++ b/changelogs/unreleased/winh-search-bar-xss-9-5.yml @@ -0,0 +1,4 @@ +--- +title: Escape user name in filtered search bar +merge_request: +author: diff --git a/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js b/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js index 67166802c70..2ecb64d84b5 100644 --- a/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js +++ b/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js @@ -791,6 +791,29 @@ describe('Filtered Search Visual Tokens', () => { expect(tokenValueElement.innerText.trim()).toBe(dummyUser.name); const avatar = tokenValueElement.querySelector('img.avatar'); expect(avatar.src).toBe(dummyUser.avatar_url); + expect(avatar.alt).toBe(''); + }) + .then(done) + .catch(done.fail); + }); + + it('escapes user name when creating token', (done) => { + const dummyUser = { + name: '<script>', + avatar_url: `${gl.TEST_HOST}/mypics/avatar.png`, + }; + const { tokenValueContainer, tokenValueElement } = findElements(authorToken); + const tokenValue = tokenValueElement.innerText; + usersCacheSpy = (username) => { + expect(`@${username}`).toBe(tokenValue); + return Promise.resolve(dummyUser); + }; + + subject.updateUserTokenAppearance(tokenValueContainer, tokenValueElement, tokenValue) + .then(() => { + expect(tokenValueElement.innerText.trim()).toBe(dummyUser.name); + tokenValueElement.querySelector('.avatar').remove(); + expect(tokenValueElement.innerHTML.trim()).toBe(_.escape(dummyUser.name)); }) .then(done) .catch(done.fail); |