From 927f608f2c4905e430d2df1c455cec793ef41aa9 Mon Sep 17 00:00:00 2001
From: Patrick Derichs <pderichs@gitlab.com>
Date: Mon, 15 Jul 2019 13:29:56 +0200
Subject: Fix HTML injection for label description

Add changelog entry

Add spec
---
 app/helpers/labels_helper.rb | 2 +-
 app/models/label.rb          | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb
index 2ed016beea4..c5a3507637e 100644
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -71,7 +71,7 @@ module LabelsHelper
   end
 
   def label_tooltip_title(label)
-    label.description
+    Sanitize.clean(label.description)
   end
 
   def suggested_colors
diff --git a/app/models/label.rb b/app/models/label.rb
index 25de26b8384..19f684c32af 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -197,7 +197,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -258,7 +262,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
 
-- 
cgit v1.2.1