From da8f9992bed1375323ce9c77a491878d2ff09bce Mon Sep 17 00:00:00 2001
From: Phil Hughes <me@iamphill.com>
Date: Wed, 18 Apr 2018 07:40:33 +0000
Subject: Merge branch '10-5-security_issue_42029' into 'security-10-5'

Sanitize user name to avoid XSS attacks

See merge request gitlab/gitlabhq!2374
---
 app/assets/javascripts/sidebar/lib/sidebar_move_issue.js | 4 +++-
 changelogs/unreleased/security_issue_42029.yml           | 5 +++++
 spec/javascripts/sidebar/mock_data.js                    | 2 +-
 spec/javascripts/sidebar/sidebar_move_issue_spec.js      | 9 +++++++++
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/security_issue_42029.yml

diff --git a/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js b/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
index 977dd83a7ea..1f05d4a77cc 100644
--- a/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
+++ b/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
@@ -1,3 +1,5 @@
+import _ from 'underscore';
+
 function isValidProjectId(id) {
   return id > 0;
 }
@@ -41,7 +43,7 @@ class SidebarMoveIssue {
       renderRow: project => `
         <li>
           <a href="#" class="js-move-issue-dropdown-item">
-            ${project.name_with_namespace}
+            ${_.escape(project.name_with_namespace)}
           </a>
         </li>
       `,
diff --git a/changelogs/unreleased/security_issue_42029.yml b/changelogs/unreleased/security_issue_42029.yml
new file mode 100644
index 00000000000..0772e33f930
--- /dev/null
+++ b/changelogs/unreleased/security_issue_42029.yml
@@ -0,0 +1,5 @@
+---
+title: Sanitizes user name to avoid XSS attacks
+merge_request:
+author:
+type: security
diff --git a/spec/javascripts/sidebar/mock_data.js b/spec/javascripts/sidebar/mock_data.js
index d9e84e35f69..19183abf1af 100644
--- a/spec/javascripts/sidebar/mock_data.js
+++ b/spec/javascripts/sidebar/mock_data.js
@@ -130,7 +130,7 @@ const RESPONSE_MAP = {
         'name_with_namespace': 'No project',
       }, {
         'id': 20,
-        'name_with_namespace': 'foo / bar',
+        'name_with_namespace': '<img src=x onerror=alert(document.domain)> foo / bar',
       },
     ],
   },
diff --git a/spec/javascripts/sidebar/sidebar_move_issue_spec.js b/spec/javascripts/sidebar/sidebar_move_issue_spec.js
index 97f762d07a7..136964426f3 100644
--- a/spec/javascripts/sidebar/sidebar_move_issue_spec.js
+++ b/spec/javascripts/sidebar/sidebar_move_issue_spec.js
@@ -68,6 +68,15 @@ describe('SidebarMoveIssue', () => {
 
       expect($.fn.glDropdown).toHaveBeenCalled();
     });
+
+    it('escapes html from project name', (done) => {
+      this.$toggleButton.dropdown('toggle');
+
+      setTimeout(() => {
+        expect(this.$content.find('.js-move-issue-dropdown-item')[1].innerHTML.trim()).toEqual('&lt;img src=x onerror=alert(document.domain)&gt; foo / bar');
+        done();
+      });
+    });
   });
 
   describe('onConfirmClicked', () => {
-- 
cgit v1.2.1