diff options
author | Tim Zallmann <tzallmann@gitlab.com> | 2017-09-01 22:41:17 +0200 |
---|---|---|
committer | Jose Ivan Vargas <jvargas@gitlab.com> | 2017-09-05 18:41:14 -0500 |
commit | 777a5cf2843a4ce07ee37c809fa33b99b87cb131 (patch) | |
tree | 6408f27f615fc2b1c01fb76f113d05d228c1c757 | |
parent | 49d254e1e7cc5ce3127aa08b059b018e8ae2a268 (diff) | |
download | gitlab-ce-777a5cf2843a4ce07ee37c809fa33b99b87cb131.tar.gz |
Fixes vulnerability in posting a comment in the temporary rendering
-rw-r--r-- | app/assets/javascripts/notes.js | 10 | ||||
-rw-r--r-- | spec/javascripts/notes_spec.js | 15 |
2 files changed, 20 insertions, 5 deletions
diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js index 1a68c5bca00..00d4ea5fade 100644 --- a/app/assets/javascripts/notes.js +++ b/app/assets/javascripts/notes.js @@ -1269,16 +1269,16 @@ export default class Notes { `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry"> <div class="timeline-entry-inner"> <div class="timeline-icon"> - <a href="/${currentUsername}"> - <img class="avatar s40" src="${currentUserAvatar}"> + <a href="/${_.escape(currentUsername)}"> + <img class="avatar s40" src="${currentUserAvatar}" /> </a> </div> <div class="timeline-content ${discussionClass}"> <div class="note-header"> <div class="note-header-info"> - <a href="/${currentUsername}"> - <span class="hidden-xs">${currentUserFullname}</span> - <span class="note-headline-light">@${currentUsername}</span> + <a href="/${_.escape(currentUsername)}"> + <span class="hidden-xs">${_.escape(currentUserFullname)}</span> + <span class="note-headline-light">@${_.escape(currentUsername)}</span> </a> </div> </div> diff --git a/spec/javascripts/notes_spec.js b/spec/javascripts/notes_spec.js index 2c096ed08a8..55ed88d38e8 100644 --- a/spec/javascripts/notes_spec.js +++ b/spec/javascripts/notes_spec.js @@ -768,6 +768,21 @@ import '~/notes'; expect($tempNote.prop('nodeName')).toEqual('LI'); expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy(); }); + + it('should return a escaped user name', () => { + const currentUserNameXSS = 'Foo <script>alert("XSS")</script>'; + const $tempNote = this.notes.createPlaceholderNote({ + formContent: sampleComment, + uniqueId, + isDiscussionNote: false, + currentUsername, + currentUserNameXSS, + currentUserAvatar, + }); + const $tempNoteHeader = $tempNote.find('.note-header'); + + expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo <script>alert("XSS")</script>'); + }); }); describe('createPlaceholderSystemNote', () => { |