From c26e9027d31b0735cea438eaa7bf787bc5b6e3a7 Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Wed, 3 May 2017 14:28:46 +0000
Subject: Merge branch 'branch-name-escape' into 'security'

Fix XSS in branches dropdown

See merge request !2093
---
 app/assets/javascripts/gl_dropdown.js        |  2 +-
 changelogs/unreleased/branch-name-escape.yml |  4 ++++
 spec/javascripts/gl_dropdown_spec.js         | 20 ++++++++++++++------
 3 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 changelogs/unreleased/branch-name-escape.yml

diff --git a/app/assets/javascripts/gl_dropdown.js b/app/assets/javascripts/gl_dropdown.js
index 0c9eb84f0eb..ef423691ece 100644
--- a/app/assets/javascripts/gl_dropdown.js
+++ b/app/assets/javascripts/gl_dropdown.js
@@ -610,7 +610,7 @@ GitLabDropdown = (function() {
       var link = document.createElement('a');
 
       link.href = url;
-      link.innerHTML = text;
+      link.textContent = text;
 
       if (selected) {
         link.className = 'is-active';
diff --git a/changelogs/unreleased/branch-name-escape.yml b/changelogs/unreleased/branch-name-escape.yml
new file mode 100644
index 00000000000..bf46235fd79
--- /dev/null
+++ b/changelogs/unreleased/branch-name-escape.yml
@@ -0,0 +1,4 @@
+---
+title: Fixed branches dropdown rendering branch names as HTML
+merge_request:
+author:
diff --git a/spec/javascripts/gl_dropdown_spec.js b/spec/javascripts/gl_dropdown_spec.js
index c207fb00a47..42c6e328fac 100644
--- a/spec/javascripts/gl_dropdown_spec.js
+++ b/spec/javascripts/gl_dropdown_spec.js
@@ -52,12 +52,8 @@ require('~/lib/utils/url_utility');
         search: {
           fields: ['name']
         },
-        text: (project) => {
-          (project.name_with_namespace || project.name);
-        },
-        id: (project) => {
-          project.id;
-        }
+        text: project => (project.name_with_namespace || project.name),
+        id: project => project.id
       });
     }
 
@@ -80,6 +76,18 @@ require('~/lib/utils/url_utility');
       expect(this.dropdownContainerElement).toHaveClass('open');
     });
 
+    it('escapes HTML as text', () => {
+      this.projectsData[0].name_with_namespace = '<script>alert("testing");</script>';
+
+      initDropDown.call(this, false);
+
+      this.dropdownButtonElement.click();
+
+      expect(
+        $('.dropdown-content li:first-child').text(),
+      ).toBe('<script>alert("testing");</script>');
+    });
+
     describe('that is open', () => {
       beforeEach(() => {
         initDropDown.call(this, false, false);
-- 
cgit v1.2.1