Escape HTML in commit titles in system note messages

Closes #17348
author: Stan Hu <stanhu@gmail.com> 2016-05-07 08:41:10 -0700
committer: Stan Hu <stanhu@gmail.com> 2016-05-07 08:41:10 -0700
commit: adf9a51899b02f7adc678dca7909201500f05026 (patch)
tree: fbe3212b1ec2c6a29cf9d1a1bea12e908e11d181 /app
parent: 2e1162272e2f90a3677f3def491907729b249434 (diff)
download: gitlab-ce-adf9a51899b02f7adc678dca7909201500f05026.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/app/services/system_note_service.rb b/app/services/system_note_service.rb
index 82a0e2fd1f5..4bdb1b0c074 100644
--- a/app/services/system_note_service.rb
+++ b/app/services/system_note_service.rb
@@ -351,7 +351,7 @@ class SystemNoteService
   # Returns an Array of Strings
   def self.new_commit_summary(new_commits)
     new_commits.collect do |commit|
-      "* #{commit.short_id} - #{commit.title}"
+      "* #{commit.short_id} - #{escape_html(commit.title)}"
     end
   end
 
@@ -433,4 +433,8 @@ class SystemNoteService
     body = "Moved #{direction} #{cross_reference}"
     create_note(noteable: noteable, project: project, author: author, note: body)
   end
+
+  def self.escape_html(text)
+    Rack::Utils.escape_html(text)
+  end
 end
author	Stan Hu <stanhu@gmail.com>	2016-05-07 08:41:10 -0700
committer	Stan Hu <stanhu@gmail.com>	2016-05-07 08:41:10 -0700
commit	adf9a51899b02f7adc678dca7909201500f05026 (patch)
tree	fbe3212b1ec2c6a29cf9d1a1bea12e908e11d181 /app
parent	2e1162272e2f90a3677f3def491907729b249434 (diff)
download	gitlab-ce-adf9a51899b02f7adc678dca7909201500f05026.tar.gz