Fix HTML injection for label description

Add changelog entry Add spec
author: Patrick Derichs <pderichs@gitlab.com> 2019-07-15 13:29:56 +0200
committer: Patrick Derichs <pderichs@gitlab.com> 2019-08-05 16:01:43 +0200
commit: 927f608f2c4905e430d2df1c455cec793ef41aa9 (patch)
tree: d565c908ab14491ef9d5bf161d2e7cd3eaab597b /app/models
parent: 52b857f119debb5a03c216c4199eb21a49d815b6 (diff)
download: gitlab-ce-927f608f2c4905e430d2df1c455cec793ef41aa9.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/app/models/label.rb b/app/models/label.rb
index 25de26b8384..19f684c32af 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -197,7 +197,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -258,7 +262,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
author	Patrick Derichs <pderichs@gitlab.com>	2019-07-15 13:29:56 +0200
committer	Patrick Derichs <pderichs@gitlab.com>	2019-08-05 16:01:43 +0200
commit	927f608f2c4905e430d2df1c455cec793ef41aa9 (patch)
tree	d565c908ab14491ef9d5bf161d2e7cd3eaab597b /app/models
parent	52b857f119debb5a03c216c4199eb21a49d815b6 (diff)
download	gitlab-ce-927f608f2c4905e430d2df1c455cec793ef41aa9.tar.gz