diff options
author | Patrick Derichs <pderichs@gitlab.com> | 2019-07-15 13:29:56 +0200 |
---|---|---|
committer | Patrick Derichs <pderichs@gitlab.com> | 2019-08-05 16:01:43 +0200 |
commit | 927f608f2c4905e430d2df1c455cec793ef41aa9 (patch) | |
tree | d565c908ab14491ef9d5bf161d2e7cd3eaab597b /app | |
parent | 52b857f119debb5a03c216c4199eb21a49d815b6 (diff) | |
download | gitlab-ce-927f608f2c4905e430d2df1c455cec793ef41aa9.tar.gz |
Fix HTML injection for label description
Add changelog entry
Add spec
Diffstat (limited to 'app')
-rw-r--r-- | app/helpers/labels_helper.rb | 2 | ||||
-rw-r--r-- | app/models/label.rb | 8 |
2 files changed, 7 insertions, 3 deletions
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb index 2ed016beea4..c5a3507637e 100644 --- a/app/helpers/labels_helper.rb +++ b/app/helpers/labels_helper.rb @@ -71,7 +71,7 @@ module LabelsHelper end def label_tooltip_title(label) - label.description + Sanitize.clean(label.description) end def suggested_colors diff --git a/app/models/label.rb b/app/models/label.rb index 25de26b8384..19f684c32af 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -197,7 +197,11 @@ class Label < ApplicationRecord end def title=(value) - write_attribute(:title, sanitize_title(value)) if value.present? + write_attribute(:title, sanitize_value(value)) if value.present? + end + + def description=(value) + write_attribute(:description, sanitize_value(value)) if value.present? end ## @@ -258,7 +262,7 @@ class Label < ApplicationRecord end end - def sanitize_title(value) + def sanitize_value(value) CGI.unescapeHTML(Sanitize.clean(value.to_s)) end |