diff options
author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-04 16:56:01 +0000 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-10-04 18:58:52 +0200 |
commit | 89ccade810447656d457cff441eff2318b2c7998 (patch) | |
tree | c839d579f2a7828ac63cebcc91b35dd3a6bac768 /app/models | |
parent | 21092657a50dbb3430dcf412d8fe448c348c09de (diff) | |
download | gitlab-ce-89ccade810447656d457cff441eff2318b2c7998.tar.gz |
Merge branch 'security-bw-confidential-titles-through-markdown-api-11-3' into 'security-11-3'
[11.3] Confidential issue/private snippet titles can be read by unauthenticated user through GFM markdown API
See merge request gitlab/gitlabhq!2535
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/project_services/hipchat_service.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/models/project_services/hipchat_service.rb b/app/models/project_services/hipchat_service.rb index 66012f0da99..a69b7b4c4b6 100644 --- a/app/models/project_services/hipchat_service.rb +++ b/app/models/project_services/hipchat_service.rb @@ -149,7 +149,7 @@ class HipchatService < Service context.merge!(options) - html = Banzai.post_process(Banzai.render(text, context), context) + html = Banzai.render_and_post_process(text, context) sanitized_html = sanitize(html, tags: HIPCHAT_ALLOWED_TAGS, attributes: %w[href title alt]) sanitized_html.truncate(200, separator: ' ', omission: '...') |