diff options
author | John Jarvis <jarv@gitlab.com> | 2019-01-02 09:34:13 +0000 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2019-01-02 09:34:13 +0000 |
commit | 90e1f10f074607e1ae061e7bc3594a9dfe7873f8 (patch) | |
tree | 4843899683beba31bf6549f1070a61aff1375c27 /lib/banzai/filter | |
parent | a74700178db77aaba47f3773abe2b7e3c9cf6732 (diff) | |
parent | a1d69ab6b86b93e600bdd90190f0a7d574992e91 (diff) | |
download | gitlab-ce-90e1f10f074607e1ae061e7bc3594a9dfe7873f8.tar.gz |
Merge branch 'security-label-xss' into 'master'
[master] Escape html entities when no label found
See merge request gitlab/gitlabhq!2706
Diffstat (limited to 'lib/banzai/filter')
-rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index 04ec38209c7..f90a35952e5 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -29,7 +29,7 @@ module Banzai if label yield match, label.id, project, namespace, $~ else - match + escape_html_entities(match) end end end @@ -102,6 +102,10 @@ module Banzai CGI.unescapeHTML(text.to_s) end + def escape_html_entities(text) + CGI.escapeHTML(text.to_s) + end + def object_link_title(object, matches) # use title of wrapped element instead nil |