diff options
| author | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 16:16:45 +0000 |
|---|---|---|
| committer | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 16:16:45 +0000 |
| commit | 8d18f219feae2907a2f6f5041ea816395de19fb2 (patch) | |
| tree | 7dfc8c247b1d9ec10d7089e69bb2c55d3ad07f5e | |
| parent | 9d6499a57812cd27014afe9663339f89927c3b82 (diff) | |
| parent | 1fbf6f186948e29dfcd09332a083962904e674ae (diff) | |
| download | gitlab-ce-8d18f219feae2907a2f6f5041ea816395de19fb2.tar.gz | |
Merge branch 'security-html_escape_usernames' into 'master'
[master] HTML escape the name of the user in ProjectsHelper#link_to_member
See merge request gitlab/gitlabhq!2401
| -rw-r--r-- | app/helpers/projects_helper.rb | 3 | ||||
| -rw-r--r-- | changelogs/unreleased/security-html_escape_usernames.yml | 5 | ||||
| -rw-r--r-- | spec/helpers/projects_helper_spec.rb | 9 |
3 files changed, 15 insertions, 2 deletions
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index be3958c40a4..8e2ca3e15bd 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -40,7 +40,8 @@ module ProjectsHelper name_tag_options[:class] << 'has-tooltip' end - content_tag(:span, sanitize(username), name_tag_options) + # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username + content_tag(:span, username, name_tag_options) end def link_to_member(project, author, opts = {}, &block) diff --git a/changelogs/unreleased/security-html_escape_usernames.yml b/changelogs/unreleased/security-html_escape_usernames.yml new file mode 100644 index 00000000000..7e69e4ae266 --- /dev/null +++ b/changelogs/unreleased/security-html_escape_usernames.yml @@ -0,0 +1,5 @@ +--- +title: HTML escape the name of the user in ProjectsHelper#link_to_member +merge_request: +author: +type: security diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb index 5cf9e9e8f12..80147b13739 100644 --- a/spec/helpers/projects_helper_spec.rb +++ b/spec/helpers/projects_helper_spec.rb @@ -248,7 +248,7 @@ describe ProjectsHelper do describe '#link_to_member' do let(:group) { build_stubbed(:group) } let(:project) { build_stubbed(:project, group: group) } - let(:user) { build_stubbed(:user) } + let(:user) { build_stubbed(:user, name: '<h1>Administrator</h1>') } describe 'using the default options' do it 'returns an HTML link to the user' do @@ -256,6 +256,13 @@ describe ProjectsHelper do expect(link).to match(%r{/#{user.username}}) end + + it 'HTML escapes the name of the user' do + link = helper.link_to_member(project, user) + + expect(link).to include(ERB::Util.html_escape(user.name)) + expect(link).not_to include(user.name) + end end end |