Merge branch 'svg-xss-fix' into 'security'

Fix for XSS vulnerability in SVG attachments See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
author: Robert Speicher <robert@gitlab.com> 2017-02-13 22:42:46 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2017-02-15 10:42:13 -0500
commit: dd944bf14f4a0fd555db32d5833325fa459d9565 (patch)
tree: 7822980b0076e2b116933bd1732d31c3e9d160e7 /app/uploaders/file_uploader.rb
parent: 7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (diff)
download: gitlab-ce-dd944bf14f4a0fd555db32d5833325fa459d9565.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
index 47bef7cd1e4..23b7318827c 100644
--- a/app/uploaders/file_uploader.rb
+++ b/app/uploaders/file_uploader.rb
@@ -36,7 +36,7 @@ class FileUploader < GitlabUploader
     escaped_filename = filename.gsub("]", "\\]")
 
     markdown = "[#{escaped_filename}](#{self.secure_url})"
-    markdown.prepend("!") if image_or_video?
+    markdown.prepend("!") if image_or_video? || dangerous?
 
     {
       alt:      filename,
author	Robert Speicher <robert@gitlab.com>	2017-02-13 22:42:46 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2017-02-15 10:42:13 -0500
commit	dd944bf14f4a0fd555db32d5833325fa459d9565 (patch)
tree	7822980b0076e2b116933bd1732d31c3e9d160e7 /app/uploaders/file_uploader.rb
parent	7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (diff)
download	gitlab-ce-dd944bf14f4a0fd555db32d5833325fa459d9565.tar.gz