Escapes milestone and label names when promoting them

2 files changed, 9 insertions, 1 deletions

diff --git a/spec/controllers/projects/labels_controller_spec.rb b/spec/controllers/projects/labels_controller_spec.rb
index 273702e6d21..e03d23bcdf6 100644
--- a/spec/controllers/projects/labels_controller_spec.rb
+++ b/spec/controllers/projects/labels_controller_spec.rb
@@ -143,6 +143,14 @@ describe Projects::LabelsController do
         expect(GroupLabel.find_by(title: promoted_label_name)).not_to be_nil
       end
 
+      it 'renders label name without parsing it as HTML' do
+        label_1.update!(name: 'CCC<img src=x onerror=alert(document.domain)>')
+
+        post :promote, namespace_id: project.namespace.to_param, project_id: project, id: label_1.to_param
+
+        expect(flash[:notice]).to eq("CCC&lt;img src=x onerror=alert(document.domain)&gt; promoted to <a href=\"#{group_labels_path(project.group)}\"><u>group label</u></a>.")
+      end
+
       context 'service raising InvalidRecord' do
         before do
           expect_any_instance_of(Labels::PromoteService).to receive(:execute) do |label|
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index e351e0fe07d..6c2d1c7e92b 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -133,7 +133,7 @@ describe Projects::MilestonesController do
 
         post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid
 
-        expect(flash[:notice]).to eq("CCC<img src=\"x\"> promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
+        expect(flash[:notice]).to eq("CCC promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
       end
     end