diff options
-rw-r--r-- | CHANGELOG.md | 35 | ||||
-rw-r--r-- | app/assets/javascripts/droplab/constants.js | 3 | ||||
-rw-r--r-- | app/assets/javascripts/droplab/drop_down.js | 2 | ||||
-rw-r--r-- | app/assets/javascripts/droplab/utils.js | 16 | ||||
-rw-r--r-- | app/assets/javascripts/filtered_search/dropdown_hint.js | 2 | ||||
-rw-r--r-- | spec/javascripts/droplab/constants_spec.js | 6 | ||||
-rw-r--r-- | spec/javascripts/droplab/drop_down_spec.js | 4 |
7 files changed, 56 insertions, 12 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 2686d778b09..e625278a796 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 9.1.3 (2017-05-05) + +- Do not show private groups on subgroups page if user doesn't have access to. +- Enforce project features when searching blobs and wikis. +- Fixed branches dropdown rendering branch names as HTML. +- Make Asciidoc & other markup go through pipeline to prevent XSS. +- Validate URLs in markdown using URI to detect the host correctly. +- Fix for XSS in project import view caused by Hamlit filter usage. +- Sanitize submodule URLs before linking to them in the file tree view. +- Refactor snippets finder & dont return internal snippets for external users. +- Fix snippets visibility for show action - external users can not see internal snippets. + ## 9.1.2 (2017-05-01) - Add index on ci_runners.contacted_at. !10876 (blackst0ne) @@ -276,6 +288,18 @@ entry. - Only send chat notifications for the default branch. - Don't fill in the default kubernetes namespace. +## 9.0.7 (2017-05-05) + +- Enforce project features when searching blobs and wikis. +- Fixed branches dropdown rendering branch names as HTML. +- Make Asciidoc & other markup go through pipeline to prevent XSS. +- Validate URLs in markdown using URI to detect the host correctly. +- Fix for XSS in project import view caused by Hamlit filter usage. +- Sanitize submodule URLs before linking to them in the file tree view. +- Refactor snippets finder & dont return internal snippets for external users. +- Fix snippets visibility for show action - external users can not see internal snippets. +- Do not show private groups on subgroups page if user doesn't have access to. + ## 9.0.6 (2017-04-21) - Bugfix: POST /projects/:id/hooks and PUT /projects/:id/hook/:hook_id no longer ignore the the job_events param in the V4 API. !10586 @@ -620,6 +644,17 @@ entry. - Change development tanuki favicon colors to match logo color order. - API issues - support filtering by iids. +## 8.17.6 (2017-05-05) + +- Enforce project features when searching blobs and wikis. +- Fixed branches dropdown rendering branch names as HTML. +- Make Asciidoc & other markup go through pipeline to prevent XSS. +- Validate URLs in markdown using URI to detect the host correctly. +- Fix for XSS in project import view caused by Hamlit filter usage. +- Sanitize submodule URLs before linking to them in the file tree view. +- Refactor snippets finder & dont return internal snippets for external users. +- Fix snippets visibility for show action - external users can not see internal snippets. + ## 8.17.5 (2017-04-05) - Don’t show source project name when user does not have access. diff --git a/app/assets/javascripts/droplab/constants.js b/app/assets/javascripts/droplab/constants.js index 8883ed9aa14..868d47e91b3 100644 --- a/app/assets/javascripts/droplab/constants.js +++ b/app/assets/javascripts/droplab/constants.js @@ -3,11 +3,14 @@ const DATA_DROPDOWN = 'data-dropdown'; const SELECTED_CLASS = 'droplab-item-selected'; const ACTIVE_CLASS = 'droplab-item-active'; const IGNORE_CLASS = 'droplab-item-ignore'; +// Matches `{{anything}}` and `{{ everything }}`. +const TEMPLATE_REGEX = /\{\{(.+?)\}\}/g; export { DATA_TRIGGER, DATA_DROPDOWN, SELECTED_CLASS, ACTIVE_CLASS, + TEMPLATE_REGEX, IGNORE_CLASS, }; diff --git a/app/assets/javascripts/droplab/drop_down.js b/app/assets/javascripts/droplab/drop_down.js index 1fb4d63923c..de3927d683c 100644 --- a/app/assets/javascripts/droplab/drop_down.js +++ b/app/assets/javascripts/droplab/drop_down.js @@ -94,7 +94,7 @@ Object.assign(DropDown.prototype, { }, renderChildren: function(data) { - var html = utils.t(this.templateString, data); + var html = utils.template(this.templateString, data); var template = document.createElement('div'); template.innerHTML = html; diff --git a/app/assets/javascripts/droplab/utils.js b/app/assets/javascripts/droplab/utils.js index c149a33a1e9..4da7344604e 100644 --- a/app/assets/javascripts/droplab/utils.js +++ b/app/assets/javascripts/droplab/utils.js @@ -1,19 +1,19 @@ /* eslint-disable */ -import { DATA_TRIGGER, DATA_DROPDOWN } from './constants'; +import { template as _template } from 'underscore'; +import { DATA_TRIGGER, DATA_DROPDOWN, TEMPLATE_REGEX } from './constants'; const utils = { toCamelCase(attr) { return this.camelize(attr.split('-').slice(1).join(' ')); }, - t(s, d) { - for (const p in d) { - if (Object.prototype.hasOwnProperty.call(d, p)) { - s = s.replace(new RegExp(`{{${p}}}`, 'g'), d[p]); - } - } - return s; + template(templateString, data) { + const template = _template(templateString, { + escape: TEMPLATE_REGEX, + }); + + return template(data); }, camelize(str) { diff --git a/app/assets/javascripts/filtered_search/dropdown_hint.js b/app/assets/javascripts/filtered_search/dropdown_hint.js index 3e7a892756c..5e9434fd48f 100644 --- a/app/assets/javascripts/filtered_search/dropdown_hint.js +++ b/app/assets/javascripts/filtered_search/dropdown_hint.js @@ -62,7 +62,7 @@ class DropdownHint extends gl.FilteredSearchDropdown { Object.assign({ icon: `fa-${icon}`, hint, - tag: `<${tag}>`, + tag: `<${tag}>`, }, type && { type }), ); } diff --git a/spec/javascripts/droplab/constants_spec.js b/spec/javascripts/droplab/constants_spec.js index fd153a49fcd..b9d28db74cc 100644 --- a/spec/javascripts/droplab/constants_spec.js +++ b/spec/javascripts/droplab/constants_spec.js @@ -27,6 +27,12 @@ describe('constants', function () { }); }); + describe('TEMPLATE_REGEX', function () { + it('should be a handlebars templating syntax regex', function() { + expect(constants.TEMPLATE_REGEX).toEqual(/\{\{(.+?)\}\}/g); + }); + }); + describe('IGNORE_CLASS', function () { it('should be `droplab-item-ignore`', function() { expect(constants.IGNORE_CLASS).toBe('droplab-item-ignore'); diff --git a/spec/javascripts/droplab/drop_down_spec.js b/spec/javascripts/droplab/drop_down_spec.js index 7516b301917..e7786e8cc2c 100644 --- a/spec/javascripts/droplab/drop_down_spec.js +++ b/spec/javascripts/droplab/drop_down_spec.js @@ -451,7 +451,7 @@ describe('DropDown', function () { this.html = 'html'; this.template = { firstChild: { outerHTML: 'outerHTML', style: {} } }; - spyOn(utils, 't').and.returnValue(this.html); + spyOn(utils, 'template').and.returnValue(this.html); spyOn(document, 'createElement').and.returnValue(this.template); spyOn(this.dropdown, 'setImagesSrc'); @@ -459,7 +459,7 @@ describe('DropDown', function () { }); it('should call utils.t with .templateString and data', function () { - expect(utils.t).toHaveBeenCalledWith(this.templateString, this.data); + expect(utils.template).toHaveBeenCalledWith(this.templateString, this.data); }); it('should call document.createElement', function () { |