Merge branch 'mr-xss' into 'master'

Escape user-provided content in preserved HAML sections

See merge request !1927

3 files changed, 12 insertions, 12 deletions

diff --git a/app/views/projects/empty.html.haml b/app/views/projects/empty.html.haml
index e577d35d560..798f1c47da5 100644
--- a/app/views/projects/empty.html.haml
+++ b/app/views/projects/empty.html.haml
@@ -22,15 +22,15 @@
     %h5 Git global setup
     %pre.light-well
       :preserve
-        git config --global user.name "#{git_user_name}"
-        git config --global user.email "#{git_user_email}"
+        git config --global user.name "#{h git_user_name}"
+        git config --global user.email "#{h git_user_email}"
 
   %fieldset
     %h5 Create a new repository
     %pre.light-well
       :preserve
         git clone #{ content_tag(:span, default_url_to_repo, class: 'clone')}
-        cd #{@project.path}
+        cd #{h @project.path}
         touch README.md
         git add README.md
         git commit -m "add README"
diff --git a/app/views/projects/merge_requests/show/_how_to_merge.html.haml b/app/views/projects/merge_requests/show/_how_to_merge.html.haml
index db1575f899a..f18cf96c17d 100644
--- a/app/views/projects/merge_requests/show/_how_to_merge.html.haml
+++ b/app/views/projects/merge_requests/show/_how_to_merge.html.haml
@@ -11,12 +11,12 @@
         %pre.dark
           - if @merge_request.for_fork?
             :preserve
-              git fetch #{@merge_request.source_project.http_url_to_repo} #{@merge_request.source_branch}
-              git checkout -b #{@merge_request.source_project_path}-#{@merge_request.source_branch} FETCH_HEAD
+              git fetch #{h @merge_request.source_project.http_url_to_repo} #{h @merge_request.source_branch}
+              git checkout -b #{h @merge_request.source_project_path}-#{h @merge_request.source_branch} FETCH_HEAD
           - else
             :preserve
               git fetch origin
-              git checkout -b #{@merge_request.source_branch} origin/#{@merge_request.source_branch}
+              git checkout -b #{h @merge_request.source_branch} origin/#{h @merge_request.source_branch}
         %p
           %strong Step 2.
           Review the changes locally
@@ -27,18 +27,18 @@
         %pre.dark
           - if @merge_request.for_fork?
             :preserve
-              git checkout #{@merge_request.target_branch}
-              git merge --no-ff #{@merge_request.source_project_path}-#{@merge_request.source_branch}
+              git checkout #{h @merge_request.target_branch}
+              git merge --no-ff #{h @merge_request.source_project_path}-#{h @merge_request.source_branch}
           - else
             :preserve
-              git checkout #{@merge_request.target_branch}
-              git merge --no-ff #{@merge_request.source_branch}
+              git checkout #{h @merge_request.target_branch}
+              git merge --no-ff #{h @merge_request.source_branch}
         %p
           %strong Step 4.
           Push the result of the merge to GitLab
         %pre.dark
           :preserve
-            git push origin #{@merge_request.target_branch}
+            git push origin #{h @merge_request.target_branch}
         - unless @merge_request.can_be_merged_by?(current_user)
           %p
             Note that pushing to GitLab requires write access to this repository.
diff --git a/app/views/projects/wikis/git_access.html.haml b/app/views/projects/wikis/git_access.html.haml
index 62071e29d74..226fd3b2290 100644
--- a/app/views/projects/wikis/git_access.html.haml
+++ b/app/views/projects/wikis/git_access.html.haml
@@ -21,7 +21,7 @@
     %pre.dark
       :preserve
         git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
-        cd #{@project_wiki.path}
+        cd #{h @project_wiki.path}
 
     %legend Start Gollum And Edit Locally:
     %pre.dark