From 56b8d13b1adc6946a4b107e622aadaf0d6441696 Mon Sep 17 00:00:00 2001
From: Samantha Ming <sming@gitlab.com>
Date: Thu, 10 Oct 2019 14:56:36 -0700
Subject: Sanitize search text to prevent XSS

---
 app/assets/javascripts/project_find_file.js                   | 3 ++-
 changelogs/unreleased/security-stored-xss-using-find-file.yml | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-stored-xss-using-find-file.yml

diff --git a/app/assets/javascripts/project_find_file.js b/app/assets/javascripts/project_find_file.js
index 60d3d83a4b2..bd5ab4f9ec4 100644
--- a/app/assets/javascripts/project_find_file.js
+++ b/app/assets/javascripts/project_find_file.js
@@ -5,6 +5,7 @@ import fuzzaldrinPlus from 'fuzzaldrin-plus';
 import axios from '~/lib/utils/axios_utils';
 import flash from '~/flash';
 import { __ } from '~/locale';
+import sanitize from 'sanitize-html';
 
 // highlight text(awefwbwgtc -> <b>a</b>wefw<b>b</b>wgt<b>c</b> )
 const highlighter = function(element, text, matches) {
@@ -75,7 +76,7 @@ export default class ProjectFindFile {
 
   findFile() {
     var result, searchText;
-    searchText = this.inputElement.val();
+    searchText = sanitize(this.inputElement.val());
     result =
       searchText.length > 0 ? fuzzaldrinPlus.filter(this.filePaths, searchText) : this.filePaths;
     return this.renderList(result, searchText);
diff --git a/changelogs/unreleased/security-stored-xss-using-find-file.yml b/changelogs/unreleased/security-stored-xss-using-find-file.yml
new file mode 100644
index 00000000000..41cd2f9494f
--- /dev/null
+++ b/changelogs/unreleased/security-stored-xss-using-find-file.yml
@@ -0,0 +1,5 @@
+---
+title: Sanitize search text to prevent XSS
+merge_request:
+author:
+type: security
-- 
cgit v1.2.1