diff options
author | Rémy Coutable <remy@rymai.me> | 2016-04-21 17:13:14 +0200 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2016-04-25 15:28:24 -0400 |
commit | ef340f6e777875e1bbb38752e64ba7bea3ab2f31 (patch) | |
tree | 7a190b13b4128ba086224023253e53f605e9b10d /app/helpers/issues_helper.rb | |
parent | b79c5c40e18086f10b849d069bc1c496a851cbae (diff) | |
download | gitlab-ce-ef340f6e777875e1bbb38752e64ba7bea3ab2f31.tar.gz |
Ensure URL in all Service subclasses are valid
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app/helpers/issues_helper.rb')
-rw-r--r-- | app/helpers/issues_helper.rb | 48 |
1 files changed, 33 insertions, 15 deletions
diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb index afe1e11a0da..198d39455d7 100644 --- a/app/helpers/issues_helper.rb +++ b/app/helpers/issues_helper.rb @@ -16,31 +16,49 @@ module IssuesHelper def url_for_project_issues(project = @project, options = {}) return '' if project.nil? - if options[:only_path] - project.issues_tracker.project_path - else - project.issues_tracker.project_url - end + url = + if options[:only_path] + project.issues_tracker.project_path + else + project.issues_tracker.project_url + end + + # Ensure we return a valid URL to prevent possible XSS. + URI.parse(url).to_s + rescue URI::InvalidURIError + '' end def url_for_new_issue(project = @project, options = {}) return '' if project.nil? - if options[:only_path] - project.issues_tracker.new_issue_path - else - project.issues_tracker.new_issue_url - end + url = + if options[:only_path] + project.issues_tracker.new_issue_path + else + project.issues_tracker.new_issue_url + end + + # Ensure we return a valid URL to prevent possible XSS. + URI.parse(url).to_s + rescue URI::InvalidURIError + '' end def url_for_issue(issue_iid, project = @project, options = {}) return '' if project.nil? - if options[:only_path] - project.issues_tracker.issue_path(issue_iid) - else - project.issues_tracker.issue_url(issue_iid) - end + url = + if options[:only_path] + project.issues_tracker.issue_path(issue_iid) + else + project.issues_tracker.issue_url(issue_iid) + end + + # Ensure we return a valid URL to prevent possible XSS. + URI.parse(url).to_s + rescue URI::InvalidURIError + '' end def bulk_update_milestone_options |