Fixed XSS in branch name in Web IDE

#2691
author: Phil Hughes <me@iamphill.com> 2018-07-10 09:44:42 +0100
committer: Phil Hughes <me@iamphill.com> 2018-07-10 09:44:42 +0100
commit: 0a59ccac61d16dde068d3a78a04060265dd34e28 (patch)
tree: 2749ae8c0073b96da1f432924e3b3ef61c47a9ad /app/assets/javascripts/ide
parent: 1fb0fc3ad3e79f980774e592d1000739003cf8c7 (diff)
download: gitlab-ce-0a59ccac61d16dde068d3a78a04060265dd34e28.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
index eb7cb9745ec..a8b5c7a16d0 100644
--- a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
+++ b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
@@ -1,4 +1,5 @@
 <script>
+import _ from 'underscore';
 import { mapActions, mapState, mapGetters } from 'vuex';
 import { sprintf, __ } from '~/locale';
 import * as consts from '../../stores/modules/commit/constants';
@@ -14,7 +15,7 @@ export default {
     commitToCurrentBranchText() {
       return sprintf(
         __('Commit to %{branchName} branch'),
-        { branchName: `<strong class="monospace">${this.currentBranchId}</strong>` },
+        { branchName: `<strong class="monospace">${_.escape(this.currentBranchId)}</strong>` },
         false,
       );
     },
author	Phil Hughes <me@iamphill.com>	2018-07-10 09:44:42 +0100
committer	Phil Hughes <me@iamphill.com>	2018-07-10 09:44:42 +0100
commit	0a59ccac61d16dde068d3a78a04060265dd34e28 (patch)
tree	2749ae8c0073b96da1f432924e3b3ef61c47a9ad /app/assets/javascripts/ide
parent	1fb0fc3ad3e79f980774e592d1000739003cf8c7 (diff)
download	gitlab-ce-0a59ccac61d16dde068d3a78a04060265dd34e28.tar.gz