From ba37848d584056069ae83955e53ce51a3ba1a0fe Mon Sep 17 00:00:00 2001
From: Clement Ho <clement@gitlab.com>
Date: Mon, 28 Aug 2017 18:41:12 +0000
Subject: Merge branch 'fix-user-select-dropdown-escaping' into 'security-9-5'

Fixes the User Selection Display (9.5)

See merge request gitlab/gitlabhq!2177
---
 app/assets/javascripts/users_select.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'app/assets/javascripts/users_select.js')

diff --git a/app/assets/javascripts/users_select.js b/app/assets/javascripts/users_select.js
index a31fedee021..73676bd6de7 100644
--- a/app/assets/javascripts/users_select.js
+++ b/app/assets/javascripts/users_select.js
@@ -75,7 +75,7 @@ function UsersSelect(currentUser, els) {
 
         if (currentUserInfo) {
           input.value = currentUserInfo.id;
-          input.dataset.meta = currentUserInfo.name;
+          input.dataset.meta = _.escape(currentUserInfo.name);
         } else if (_this.currentUser) {
           input.value = _this.currentUser.id;
         }
@@ -198,7 +198,7 @@ function UsersSelect(currentUser, els) {
             };
           }
           $value.html(assigneeTemplate(user));
-          $collapsedSidebar.attr('title', user.name).tooltip('fixTitle');
+          $collapsedSidebar.attr('title', _.escape(user.name)).tooltip('fixTitle');
           return $collapsedSidebar.html(collapsedAssigneeTemplate(user));
         });
       };
@@ -506,7 +506,7 @@ function UsersSelect(currentUser, els) {
 
           img = "";
           if (user.beforeDivider != null) {
-            `<li><a href='#' class='${selected === true ? 'is-active' : ''}'>${user.name}</a></li>`;
+            `<li><a href='#' class='${selected === true ? 'is-active' : ''}'>${_.escape(user.name)}</a></li>`;
           } else {
             if (avatar) {
               img = "<img src='" + avatar + "' class='avatar avatar-inline' width='32' />";
@@ -518,7 +518,7 @@ function UsersSelect(currentUser, els) {
               <a href='#' class='dropdown-menu-user-link ${selected === true ? 'is-active' : ''}'>
                 ${img}
                 <strong class='dropdown-menu-user-full-name'>
-                  ${user.name}
+                  ${_.escape(user.name)}
                 </strong>
                 ${username ? `<span class='dropdown-menu-user-username'>${username}</span>` : ''}
               </a>
@@ -643,11 +643,11 @@ UsersSelect.prototype.formatResult = function(user) {
   } else {
     avatar = gon.default_avatar_url;
   }
-  return "<div class='user-result " + (!user.username ? 'no-username' : void 0) + "'> <div class='user-image'><img class='avatar avatar-inline s32' src='" + avatar + "'></div> <div class='user-name dropdown-menu-user-full-name'>" + user.name + "</div> <div class='user-username dropdown-menu-user-username'>" + (!user.invite ? "@" + _.escape(user.username) : "") + "</div> </div>";
+  return "<div class='user-result " + (!user.username ? 'no-username' : void 0) + "'> <div class='user-image'><img class='avatar avatar-inline s32' src='" + avatar + "'></div> <div class='user-name dropdown-menu-user-full-name'>" + _.escape(user.name) + "</div> <div class='user-username dropdown-menu-user-username'>" + (!user.invite ? "@" + _.escape(user.username) : "") + "</div> </div>";
 };
 
 UsersSelect.prototype.formatSelection = function(user) {
-  return user.name;
+  return _.escape(user.name);
 };
 
 UsersSelect.prototype.user = function(user_id, callback) {
-- 
cgit v1.2.1