Merge branch 'security-10-1' into '10-1-stable'

Security fixes for 10.1 RC See merge request gitlab/gitlabhq!2209
author: Jen-Shin Lin <jen-shin@gitlab.com> 2017-10-17 10:12:24 +0000
committer: Stan Hu <stanhu@gmail.com> 2017-10-17 15:58:58 -0700
commit: bd46c8abfd5ee964c47eff0ace021e45cbbe6687 (patch)
tree: e22dc885b8d70829cf3893cc65c49f6351bc2d34 /app/assets/javascripts/filtered_search
parent: 9978ef9884023df12b3fbc5758cf93d166100c80 (diff)
download: gitlab-ce-bd46c8abfd5ee964c47eff0ace021e45cbbe6687.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js b/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js
index dd24fc44d2a..d2f92929b8a 100644
--- a/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js
+++ b/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js
@@ -123,8 +123,8 @@ class FilteredSearchVisualTokens {
         /* eslint-disable no-param-reassign */
         tokenValueContainer.dataset.originalValue = tokenValue;
         tokenValueElement.innerHTML = `
-          <img class="avatar s20" src="${user.avatar_url}" alt="${user.name}'s avatar">
-          ${user.name}
+          <img class="avatar s20" src="${user.avatar_url}" alt="">
+          ${_.escape(user.name)}
         `;
         /* eslint-enable no-param-reassign */
       })
author	Jen-Shin Lin <jen-shin@gitlab.com>	2017-10-17 10:12:24 +0000
committer	Stan Hu <stanhu@gmail.com>	2017-10-17 15:58:58 -0700
commit	bd46c8abfd5ee964c47eff0ace021e45cbbe6687 (patch)
tree	e22dc885b8d70829cf3893cc65c49f6351bc2d34 /app/assets/javascripts/filtered_search
parent	9978ef9884023df12b3fbc5758cf93d166100c80 (diff)
download	gitlab-ce-bd46c8abfd5ee964c47eff0ace021e45cbbe6687.tar.gz