Escape title attributes in references

6 files changed, 10 insertions, 5 deletions

diff --git a/lib/gitlab/markdown/commit_reference_filter.rb b/lib/gitlab/markdown/commit_reference_filter.rb
index 914eb29dc0c..5a7eca7e5b0 100644
--- a/lib/gitlab/markdown/commit_reference_filter.rb
+++ b/lib/gitlab/markdown/commit_reference_filter.rb
@@ -50,7 +50,7 @@ module Gitlab
           if project.valid_repo? && commit = project.repository.commit(commit_ref)
             url = url_for_commit(project, commit)
 
-            title = commit.link_title
+            title = escape_once(commit.link_title)
             klass = reference_class(:commit)
 
             project_ref += '@' if project_ref
diff --git a/lib/gitlab/markdown/external_issue_reference_filter.rb b/lib/gitlab/markdown/external_issue_reference_filter.rb
index cbbadc79847..0fc3f4cca06 100644
--- a/lib/gitlab/markdown/external_issue_reference_filter.rb
+++ b/lib/gitlab/markdown/external_issue_reference_filter.rb
@@ -46,7 +46,7 @@ module Gitlab
         self.class.references_in(text) do |match, issue|
           url = url_for_issue(issue, project, only_path: context[:only_path])
 
-          title = "Issue in #{project.external_issue_tracker.title}"
+          title = escape_once("Issue in #{project.external_issue_tracker.title}")
           klass = reference_class(:issue)
 
           %(<a href="#{url}"
diff --git a/lib/gitlab/markdown/issue_reference_filter.rb b/lib/gitlab/markdown/issue_reference_filter.rb
index 680daaf6a1d..13d2ba4bab3 100644
--- a/lib/gitlab/markdown/issue_reference_filter.rb
+++ b/lib/gitlab/markdown/issue_reference_filter.rb
@@ -50,7 +50,7 @@ module Gitlab
           if project.issue_exists?(issue)
             url = url_for_issue(issue, project, only_path: context[:only_path])
 
-            title = "Issue: #{title_for_issue(issue, project)}"
+            title = escape_once("Issue: #{title_for_issue(issue, project)}")
             klass = reference_class(:issue)
 
             %(<a href="#{url}"
diff --git a/lib/gitlab/markdown/merge_request_reference_filter.rb b/lib/gitlab/markdown/merge_request_reference_filter.rb
index 15f0c09ab00..372543783e6 100644
--- a/lib/gitlab/markdown/merge_request_reference_filter.rb
+++ b/lib/gitlab/markdown/merge_request_reference_filter.rb
@@ -52,7 +52,7 @@ module Gitlab
           project = self.project_from_ref(project_ref)
 
           if merge_request = project.merge_requests.find_by(iid: id)
-            title = "Merge Request: #{merge_request.title}"
+            title = escape_once("Merge Request: #{merge_request.title}")
             klass = reference_class(:merge_request)
 
             url = url_for_merge_request(merge_request, project)
diff --git a/lib/gitlab/markdown/reference_filter.rb b/lib/gitlab/markdown/reference_filter.rb
index 7bd14020ecc..26663c8d990 100644
--- a/lib/gitlab/markdown/reference_filter.rb
+++ b/lib/gitlab/markdown/reference_filter.rb
@@ -1,3 +1,4 @@
+require 'active_support/core_ext/string/output_safety'
 require 'html/pipeline'
 
 module Gitlab
@@ -12,6 +13,10 @@ module Gitlab
     #   :only_path          - Generate path-only links.
     #
     class ReferenceFilter < HTML::Pipeline::Filter
+      def escape_once(html)
+        ERB::Util.html_escape_once(html)
+      end
+
       # Don't look for references in text nodes that are children of these
       # elements.
       IGNORE_PARENTS = %w(pre code a style).to_set
diff --git a/lib/gitlab/markdown/snippet_reference_filter.rb b/lib/gitlab/markdown/snippet_reference_filter.rb
index 193a548af92..9cada5abaa0 100644
--- a/lib/gitlab/markdown/snippet_reference_filter.rb
+++ b/lib/gitlab/markdown/snippet_reference_filter.rb
@@ -48,7 +48,7 @@ module Gitlab
           project = self.project_from_ref(project_ref)
 
           if snippet = project.snippets.find_by(id: id)
-            title = "Snippet: #{snippet.title}"
+            title = escape_once("Snippet: #{snippet.title}")
             klass = reference_class(:snippet)
 
             url = url_for_snippet(snippet, project)