diff options
author | Jacob Schatz <jschatz@gitlab.com> | 2017-12-15 20:29:53 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2018-01-15 11:23:06 +0100 |
commit | 1a901a33d585e73e523bed07440a92243f61cfcf (patch) | |
tree | 3362fd1fd460417691e0dc502e0be02a41bfae8a /app | |
parent | f64c19e96dd39e301e99a133b39664a0ea96f00f (diff) | |
download | gitlab-ce-1a901a33d585e73e523bed07440a92243f61cfcf.tar.gz |
Merge branch 'label-xss-10-3' into 'security-10-3'
[10.3] Fix XSS in issue label dropdown
See merge request gitlab/gitlabhq!2253
(cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360)
ea1fb0ea Fix XSS in issue label dropdown
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/labels_select.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index f7a1c9f1e40..664e793fc8e 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -231,7 +231,7 @@ export default class LabelsSelect { selectedClass.push('label-item'); $a.attr('data-label-id', label.id); } - $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title); + $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`); // Return generated html return $li.html($a).prop('outerHTML'); }, |