Merge branch 'fix-comment-reflection' into 'security-9-5'

Fix Live Comment XSS Vulnerability

See merge request gitlab/gitlabhq!2183

1 files changed, 7 insertions, 4 deletions

diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js
index a09270d6d24..f5f7bb4653d 100644
--- a/app/assets/javascripts/notes.js
+++ b/app/assets/javascripts/notes.js
@@ -1272,16 +1272,16 @@ export default class Notes {
       `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry">
          <div class="timeline-entry-inner">
             <div class="timeline-icon">
-               <a href="/${currentUsername}">
+               <a href="/${_.escape(currentUsername)}">
                  <img class="avatar s40" src="${currentUserAvatar}" />
                </a>
             </div>
             <div class="timeline-content ${discussionClass}">
                <div class="note-header">
                   <div class="note-header-info">
-                     <a href="/${currentUsername}">
-                       <span class="hidden-xs">${currentUserFullname}</span>
-                       <span class="note-headline-light">@${currentUsername}</span>
+                     <a href="/${_.escape(currentUsername)}">
+                       <span class="hidden-xs">${_.escape(currentUsername)}</span>
+                       <span class="note-headline-light">${_.escape(currentUsername)}</span>
                      </a>
                   </div>
                </div>
@@ -1295,6 +1295,9 @@ export default class Notes {
       </li>`
     );
 
+    $tempNote.find('.hidden-xs').text(_.escape(currentUserFullname));
+    $tempNote.find('.note-headline-light').text(`@${_.escape(currentUsername)}`);
+
     return $tempNote;
   }