diff options
author | Jacob Schatz <jschatz@gitlab.com> | 2017-09-06 15:59:49 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-09-07 20:22:16 -0400 |
commit | 941a2d27373a99cb96561e7f41ac6ae8351dbb96 (patch) | |
tree | 2c7dda705f0007f34f595d56ff46928638a8d833 /app/assets/javascripts/notes.js | |
parent | bc10afb600a8079fe250e7c82bf16763a8fed28f (diff) | |
download | gitlab-ce-941a2d27373a99cb96561e7f41ac6ae8351dbb96.tar.gz |
Merge branch 'fix-comment-reflection' into 'security-9-5'
Fix Live Comment XSS Vulnerability
See merge request gitlab/gitlabhq!2183
Diffstat (limited to 'app/assets/javascripts/notes.js')
-rw-r--r-- | app/assets/javascripts/notes.js | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js index a09270d6d24..f5f7bb4653d 100644 --- a/app/assets/javascripts/notes.js +++ b/app/assets/javascripts/notes.js @@ -1272,16 +1272,16 @@ export default class Notes { `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry"> <div class="timeline-entry-inner"> <div class="timeline-icon"> - <a href="/${currentUsername}"> + <a href="/${_.escape(currentUsername)}"> <img class="avatar s40" src="${currentUserAvatar}" /> </a> </div> <div class="timeline-content ${discussionClass}"> <div class="note-header"> <div class="note-header-info"> - <a href="/${currentUsername}"> - <span class="hidden-xs">${currentUserFullname}</span> - <span class="note-headline-light">@${currentUsername}</span> + <a href="/${_.escape(currentUsername)}"> + <span class="hidden-xs">${_.escape(currentUsername)}</span> + <span class="note-headline-light">${_.escape(currentUsername)}</span> </a> </div> </div> @@ -1295,6 +1295,9 @@ export default class Notes { </li>` ); + $tempNote.find('.hidden-xs').text(_.escape(currentUserFullname)); + $tempNote.find('.note-headline-light').text(`@${_.escape(currentUsername)}`); + return $tempNote; } |