Merge branch 'label-xss-10-3' into 'security-10-3'

[10.3] Fix XSS in issue label dropdown See merge request gitlab/gitlabhq!2253 (cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360) ea1fb0ea Fix XSS in issue label dropdown
author: Jacob Schatz <jschatz@gitlab.com> 2017-12-15 20:29:53 +0000
committer: Rémy Coutable <remy@rymai.me> 2018-01-15 11:23:06 +0100
commit: 1a901a33d585e73e523bed07440a92243f61cfcf (patch)
tree: 3362fd1fd460417691e0dc502e0be02a41bfae8a /app
parent: f64c19e96dd39e301e99a133b39664a0ea96f00f (diff)
download: gitlab-ce-1a901a33d585e73e523bed07440a92243f61cfcf.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js
index f7a1c9f1e40..664e793fc8e 100644
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -231,7 +231,7 @@ export default class LabelsSelect {
             selectedClass.push('label-item');
             $a.attr('data-label-id', label.id);
           }
-          $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
+          $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
           // Return generated html
           return $li.html($a).prop('outerHTML');
         },
author	Jacob Schatz <jschatz@gitlab.com>	2017-12-15 20:29:53 +0000
committer	Rémy Coutable <remy@rymai.me>	2018-01-15 11:23:06 +0100
commit	1a901a33d585e73e523bed07440a92243f61cfcf (patch)
tree	3362fd1fd460417691e0dc502e0be02a41bfae8a /app
parent	f64c19e96dd39e301e99a133b39664a0ea96f00f (diff)
download	gitlab-ce-1a901a33d585e73e523bed07440a92243f61cfcf.tar.gz