diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-29 21:34:20 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-29 21:34:20 +0000 |
commit | 170cb8bc1828b80019fa45e48bc37161973e7a0e (patch) | |
tree | 98a51a0facd35cdf6ed06bb3c4c5dd937cc8c04d /app/models/label.rb | |
parent | 7d6ec7f7ed19b9093e8ea604d7f024a1e84a847e (diff) | |
parent | 927f608f2c4905e430d2df1c455cec793ef41aa9 (diff) | |
download | gitlab-ce-170cb8bc1828b80019fa45e48bc37161973e7a0e.tar.gz |
Merge branch 'security-fix-html-injection-for-label-description-ce-master' into 'master'
Fix HTML injection for label description
See merge request gitlab/gitlabhq!3250
Diffstat (limited to 'app/models/label.rb')
-rw-r--r-- | app/models/label.rb | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/app/models/label.rb b/app/models/label.rb index d9455b36242..dc9f0a3d1a9 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -199,7 +199,11 @@ class Label < ApplicationRecord end def title=(value) - write_attribute(:title, sanitize_title(value)) if value.present? + write_attribute(:title, sanitize_value(value)) if value.present? + end + + def description=(value) + write_attribute(:description, sanitize_value(value)) if value.present? end ## @@ -260,7 +264,7 @@ class Label < ApplicationRecord end end - def sanitize_title(value) + def sanitize_value(value) CGI.unescapeHTML(Sanitize.clean(value.to_s)) end |