Escapes html content before appending it to the DOM

author: Filipa Lacerda <filipa@gitlab.com> 2017-05-25 14:32:14 +0100
committer: Filipa Lacerda <filipa@gitlab.com> 2017-05-25 14:32:14 +0100
commit: dc2ac9937a378f4351ba34bb6fab93558f93d611 (patch)
tree: dd1b842005418cfe76db8c5a5f717680c3ad0cf3 /app
parent: c013d23d6320487cf293891f7c6b213cab816980 (diff)
download: gitlab-ce-dc2ac9937a378f4351ba34bb6fab93558f93d611.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js
index b0b1cfd6c8a..702915c516f 100644
--- a/app/assets/javascripts/notes.js
+++ b/app/assets/javascripts/notes.js
@@ -1398,7 +1398,7 @@ const normalizeNewlines = function(str) {
       const cachedNoteBodyText = $noteBodyText.html();
 
       // Show updated comment content temporarily
-      $noteBodyText.html(formContent);
+      $noteBodyText.html(_.escape(formContent));
       $editingNote.removeClass('is-editing fade-in-full').addClass('being-posted fade-in-half');
       $editingNote.find('.note-headline-meta a').html('<i class="fa fa-spinner fa-spin" aria-label="Comment is being updated" aria-hidden="true"></i>');
 
@@ -1411,7 +1411,7 @@ const normalizeNewlines = function(str) {
         })
         .fail(() => {
           // Submission failed, revert back to original note
-          $noteBodyText.html(cachedNoteBodyText);
+          $noteBodyText.html(_.escape(cachedNoteBodyText));
           $editingNote.removeClass('being-posted fade-in');
           $editingNote.find('.fa.fa-spinner').remove();
author	Filipa Lacerda <filipa@gitlab.com>	2017-05-25 14:32:14 +0100
committer	Filipa Lacerda <filipa@gitlab.com>	2017-05-25 14:32:14 +0100
commit	dc2ac9937a378f4351ba34bb6fab93558f93d611 (patch)
tree	dd1b842005418cfe76db8c5a5f717680c3ad0cf3 /app
parent	c013d23d6320487cf293891f7c6b213cab816980 (diff)
download	gitlab-ce-dc2ac9937a378f4351ba34bb6fab93558f93d611.tar.gz