Merge branch '10-7-security_issue_42029' into 'security-10-7'

Sanitize user name to avoid XSS attacks See merge request gitlab/gitlabhq!2373
author: Phil Hughes <me@iamphill.com> 2018-04-18 07:40:36 +0000
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-30 15:01:01 -0500
commit: 2f7b71df7619768220657ed47c7737f4c3e19e90 (patch)
tree: 58dfea9291271147164b6a2151635b31f23af6f0 /app/assets/javascripts/sidebar
parent: 9cf4e4734192c7234a97f1a7f472eed3ce7a2448 (diff)
download: gitlab-ce-2f7b71df7619768220657ed47c7737f4c3e19e90.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js b/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
index 1eadebc7004..b267422cd97 100644
--- a/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
+++ b/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import _ from 'underscore';
 
 function isValidProjectId(id) {
   return id > 0;
@@ -43,7 +44,7 @@ class SidebarMoveIssue {
       renderRow: project => `
         <li>
           <a href="#" class="js-move-issue-dropdown-item">
-            ${project.name_with_namespace}
+            ${_.escape(project.name_with_namespace)}
           </a>
         </li>
       `,
author	Phil Hughes <me@iamphill.com>	2018-04-18 07:40:36 +0000
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-30 15:01:01 -0500
commit	2f7b71df7619768220657ed47c7737f4c3e19e90 (patch)
tree	58dfea9291271147164b6a2151635b31f23af6f0 /app/assets/javascripts/sidebar
parent	9cf4e4734192c7234a97f1a7f472eed3ce7a2448 (diff)
download	gitlab-ce-2f7b71df7619768220657ed47c7737f4c3e19e90.tar.gz