Sanitize search text to prevent XSS

author: samantha-dev <sming@gitlab.com> 2019-09-27 13:59:41 -0700
committer: samantha-dev <sming@gitlab.com> 2019-10-02 19:06:25 -0700
commit: 84f243bc958bb12c2ee5e372f31a8d68bff4f94e (patch)
tree: b3a76c6f8746699d1b466a69d204b42d78d47607 /app/assets/javascripts/project_find_file.js
parent: 427b23c12718bea233931431e7d9307881a960c0 (diff)
download: gitlab-ce-84f243bc958bb12c2ee5e372f31a8d68bff4f94e.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/app/assets/javascripts/project_find_file.js b/app/assets/javascripts/project_find_file.js
index 2c375b39c1f..58f088444d0 100644
--- a/app/assets/javascripts/project_find_file.js
+++ b/app/assets/javascripts/project_find_file.js
@@ -5,6 +5,7 @@ import fuzzaldrinPlus from 'fuzzaldrin-plus';
 import axios from '~/lib/utils/axios_utils';
 import flash from '~/flash';
 import { __ } from '~/locale';
+import sanitize from 'sanitize-html';
 
 // highlight text(awefwbwgtc -> <b>a</b>wefw<b>b</b>wgt<b>c</b> )
 const highlighter = function(element, text, matches) {
@@ -74,7 +75,7 @@ export default class ProjectFindFile {
 
   findFile() {
     var result, searchText;
-    searchText = this.inputElement.val();
+    searchText = sanitize(this.inputElement.val());
     result =
       searchText.length > 0 ? fuzzaldrinPlus.filter(this.filePaths, searchText) : this.filePaths;
     return this.renderList(result, searchText);
author	samantha-dev <sming@gitlab.com>	2019-09-27 13:59:41 -0700
committer	samantha-dev <sming@gitlab.com>	2019-10-02 19:06:25 -0700
commit	84f243bc958bb12c2ee5e372f31a8d68bff4f94e (patch)
tree	b3a76c6f8746699d1b466a69d204b42d78d47607 /app/assets/javascripts/project_find_file.js
parent	427b23c12718bea233931431e7d9307881a960c0 (diff)
download	gitlab-ce-84f243bc958bb12c2ee5e372f31a8d68bff4f94e.tar.gz