Merge branch 'security-fix-html-injection-for-label-description-ce-master' into 'master'

Fix HTML injection for label description See merge request gitlab/gitlabhq!3250
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:20 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:20 +0000
commit: 170cb8bc1828b80019fa45e48bc37161973e7a0e (patch)
tree: 98a51a0facd35cdf6ed06bb3c4c5dd937cc8c04d /app/models/label.rb
parent: 7d6ec7f7ed19b9093e8ea604d7f024a1e84a847e (diff)
parent: 927f608f2c4905e430d2df1c455cec793ef41aa9 (diff)
download: gitlab-ce-170cb8bc1828b80019fa45e48bc37161973e7a0e.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/app/models/label.rb b/app/models/label.rb
index d9455b36242..dc9f0a3d1a9 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -199,7 +199,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -260,7 +264,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:20 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:20 +0000
commit	170cb8bc1828b80019fa45e48bc37161973e7a0e (patch)
tree	98a51a0facd35cdf6ed06bb3c4c5dd937cc8c04d /app/models/label.rb
parent	7d6ec7f7ed19b9093e8ea604d7f024a1e84a847e (diff)
parent	927f608f2c4905e430d2df1c455cec793ef41aa9 (diff)
download	gitlab-ce-170cb8bc1828b80019fa45e48bc37161973e7a0e.tar.gz