Merge branch 'security-label-xss' into 'master'

[master] Escape html entities when no label found See merge request gitlab/gitlabhq!2706
author: John Jarvis <jarv@gitlab.com> 2019-01-02 09:34:13 +0000
committer: John Jarvis <jarv@gitlab.com> 2019-01-02 09:34:13 +0000
commit: 90e1f10f074607e1ae061e7bc3594a9dfe7873f8 (patch)
tree: 4843899683beba31bf6549f1070a61aff1375c27 /lib/banzai/filter
parent: a74700178db77aaba47f3773abe2b7e3c9cf6732 (diff)
parent: a1d69ab6b86b93e600bdd90190f0a7d574992e91 (diff)
download: gitlab-ce-90e1f10f074607e1ae061e7bc3594a9dfe7873f8.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index 04ec38209c7..f90a35952e5 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -29,7 +29,7 @@ module Banzai
           if label
             yield match, label.id, project, namespace, $~
           else
-            match
+            escape_html_entities(match)
           end
         end
       end
@@ -102,6 +102,10 @@ module Banzai
         CGI.unescapeHTML(text.to_s)
       end
 
+      def escape_html_entities(text)
+        CGI.escapeHTML(text.to_s)
+      end
+
       def object_link_title(object, matches)
         # use title of wrapped element instead
         nil
author	John Jarvis <jarv@gitlab.com>	2019-01-02 09:34:13 +0000
committer	John Jarvis <jarv@gitlab.com>	2019-01-02 09:34:13 +0000
commit	90e1f10f074607e1ae061e7bc3594a9dfe7873f8 (patch)
tree	4843899683beba31bf6549f1070a61aff1375c27 /lib/banzai/filter
parent	a74700178db77aaba47f3773abe2b7e3c9cf6732 (diff)
parent	a1d69ab6b86b93e600bdd90190f0a7d574992e91 (diff)
download	gitlab-ce-90e1f10f074607e1ae061e7bc3594a9dfe7873f8.tar.gz