Escape title attributes in references

2 files changed, 6 insertions, 2 deletions

diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index 7b034f22248..c3b4731dff3 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -109,5 +109,6 @@ module IssuesHelper
     end
   end
 
+  # Required for Gitlab::Markdown::IssueReferenceFilter
   module_function :url_for_issue, :title_for_issue
 end
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb
index 0259829a059..8272c177d59 100644
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -1,4 +1,6 @@
 module LabelsHelper
+  include ActionView::Helpers::TagHelper
+
   def project_label_names
     @project.labels.pluck(:title)
   end
@@ -11,7 +13,7 @@ module LabelsHelper
     # by LabelReferenceFilter
     span = %(<span class="label color-label") +
       %( style="background-color: #{label_color}; color: #{text_color}">) +
-      label.name + '</span>'
+      escape_once(label.name) + '</span>'
 
     span.html_safe
   end
@@ -56,5 +58,6 @@ module LabelsHelper
     options_from_collection_for_select(project.labels, 'name', 'name', params[:label_name])
   end
 
-  module_function :render_colored_label, :text_color_for_bg
+  # Required for Gitlab::Markdown::LabelReferenceFilter
+  module_function :render_colored_label, :text_color_for_bg, :escape_once
 end