Merge branch 'security-11-2-2717-fix-issue-title-xss' into 'security-11-2'

[11.2] Escape issue title while template rendering to prevent XSS

See merge request gitlab/gitlabhq!2558

1 files changed, 15 insertions, 0 deletions

diff --git a/spec/features/issues/gfm_autocomplete_spec.rb b/spec/features/issues/gfm_autocomplete_spec.rb
index 98e37d8011a..8a43847d64d 100644
--- a/spec/features/issues/gfm_autocomplete_spec.rb
+++ b/spec/features/issues/gfm_autocomplete_spec.rb
@@ -34,6 +34,21 @@ describe 'GFM autocomplete', :js do
     expect(page).to have_selector('.atwho-container')
   end
 
+  it 'opens autocomplete menu when field starts with text with item escaping HTML characters' do
+    alert_title = 'This will execute alert<img src=x onerror=alert(2)&lt;img src=x onerror=alert(1)&gt;'
+    create(:issue, project: project, title: alert_title)
+
+    page.within '.timeline-content-form' do
+      find('#note-body').native.send_keys('#')
+    end
+
+    expect(page).to have_selector('.atwho-container')
+
+    page.within '.atwho-container #at-view-issues' do
+      expect(page.all('li').first.text).to include(alert_title)
+    end
+  end
+
   it 'doesnt open autocomplete menu character is prefixed with text' do
     page.within '.timeline-content-form' do
       find('#note-body').native.send_keys('testing')