diff options
author | Phil Hughes <me@iamphill.com> | 2018-03-20 10:09:42 +0000 |
---|---|---|
committer | Filipa Lacerda <filipa@gitlab.com> | 2018-04-03 14:55:46 +0100 |
commit | 6abc9ece9f5755c2d7a5481af655e3bcaea617a6 (patch) | |
tree | 48a64efe21ab4a5d4eb3e4d98a13a1b5bc16f93f | |
parent | 1ed7d427a4fcd4cf562ecc1b1ef853f1327f83c8 (diff) | |
download | gitlab-ce-6abc9ece9f5755c2d7a5481af655e3bcaea617a6.tar.gz |
Merge branch 'fl-fix-milestone-bug-10-4' into 'security-10-4'
Port of fix milestone bug - escape milestone name
See merge request gitlab/gitlabhq!2360
-rw-r--r-- | app/assets/javascripts/milestone_select.js | 8 | ||||
-rw-r--r-- | spec/features/issues/form_spec.rb | 17 |
2 files changed, 21 insertions, 4 deletions
diff --git a/app/assets/javascripts/milestone_select.js b/app/assets/javascripts/milestone_select.js index 0e854295fe3..1e8c5dd8a5e 100644 --- a/app/assets/javascripts/milestone_select.js +++ b/app/assets/javascripts/milestone_select.js @@ -92,10 +92,10 @@ export default class MilestoneSelect { if (showMenuAbove) { $dropdown.data('glDropdown').positionMenuAbove(); } - $(`[data-milestone-id="${selectedMilestone}"] > a`).addClass('is-active'); + $(`[data-milestone-id="${_.escape(selectedMilestone)}"] > a`).addClass('is-active'); }), renderRow: milestone => ` - <li data-milestone-id="${milestone.name}"> + <li data-milestone-id="${_.escape(milestone.name)}"> <a href='#' class='dropdown-menu-milestone-link'> ${_.escape(milestone.title)} </a> @@ -123,7 +123,6 @@ export default class MilestoneSelect { return milestone.id; } }, - isSelected: milestone => milestone.name === selectedMilestone, hidden: () => { $selectBox.hide(); // display:block overrides the hide-collapse rule @@ -135,7 +134,7 @@ export default class MilestoneSelect { selectedMilestone = $dropdown[0].dataset.selected || selectedMilestoneDefault; } $('a.is-active', $el).removeClass('is-active'); - $(`[data-milestone-id="${selectedMilestone}"] > a`, $el).addClass('is-active'); + $(`[data-milestone-id="${_.escape(selectedMilestone)}"] > a`, $el).addClass('is-active'); }, vue: $dropdown.hasClass('js-issue-board-sidebar'), clicked: (clickEvent) => { @@ -156,6 +155,7 @@ export default class MilestoneSelect { const isMRIndex = (page === page && page === 'projects:merge_requests:index'); const isSelecting = (selected.name !== selectedMilestone); selectedMilestone = isSelecting ? selected.name : selectedMilestoneDefault; + if ($dropdown.hasClass('js-filter-bulk-update') || $dropdown.hasClass('js-issuable-form-dropdown')) { e.preventDefault(); return; diff --git a/spec/features/issues/form_spec.rb b/spec/features/issues/form_spec.rb index faf14be4818..db22b7299e3 100644 --- a/spec/features/issues/form_spec.rb +++ b/spec/features/issues/form_spec.rb @@ -214,6 +214,23 @@ describe 'New/edit issue', :js do expect(page).to have_selector('.atwho-view') end + + describe 'milestone' do + let!(:milestone) { create(:milestone, title: '"><img src=x onerror=alert(document.domain)>', project: project) } + + it 'escapes milestone' do + click_button 'Milestone' + + page.within '.issue-milestone' do + click_link milestone.title + end + + page.within '.js-milestone-select' do + expect(page).to have_content milestone.title + expect(page).not_to have_selector 'img' + end + end + end end context 'edit issue' do |