Merge branch 'fl-fix-milestone-bug-10-6' into 'security-10-6'

Escape miletone attribute when appending to the DOM See merge request gitlab/gitlabhq!2359

Merge branch 'fl-fix-milestone-bug-10-6' into 'security-10-6'
Escape miletone attribute when appending to the DOM See merge request gitlab/gitlabhq!2359
0498a5dd · Phil Hughes · James Lopez · 39bb3720 · 0498a5dd · 0498a5dd
Commit 0498a5dd authored Mar 20, 2018 by Phil Hughes Committed by James Lopez Apr 05, 2018
Show whitespace changes
Inline Side-by-side

Showing with 21 additions and 4 deletions

app/assets/javascripts/milestone_select.js app/assets/javascripts/milestone_select.js +4 -4

spec/features/issues/form_spec.rb spec/features/issues/form_spec.rb +17 -0

No files found.
--- a/app/assets/javascripts/milestone_select.js
+++ b/app/assets/javascripts/milestone_select.js
@@ -94,10 +94,10 @@ export default class MilestoneSelect {
            if (showMenuAbove) {
              $dropdown.data('glDropdown').positionMenuAbove();
            }
-            $(`[data-milestone-id="${selectedMilestone}"] > a`).addClass('is-active');
+            $(`[data-milestone-id="${_.escape(selectedMilestone)}"] > a`).addClass('is-active');
          }),
        renderRow: milestone => `
-          <li data-milestone-id="${milestone.name}">
+          <li data-milestone-id="${_.escape(milestone.name)}">
            <a href='#' class='dropdown-menu-milestone-link'>
              ${_.escape(milestone.title)}
            </a>
@@ -125,7 +125,6 @@ export default class MilestoneSelect {
            return milestone.id;
          }
        },
-        isSelected: milestone => milestone.name === selectedMilestone,
        hidden: () => {
          $selectBox.hide();
          // display:block overrides the hide-collapse rule
@@ -137,7 +136,7 @@ export default class MilestoneSelect {
            selectedMilestone = $dropdown[0].dataset.selected || selectedMilestoneDefault;
          }
          $('a.is-active', $el).removeClass('is-active');
-          $(`[data-milestone-id="${selectedMilestone}"] > a`, $el).addClass('is-active');
+          $(`[data-milestone-id="${_.escape(selectedMilestone)}"] > a`, $el).addClass('is-active');
        },
        vue: $dropdown.hasClass('js-issue-board-sidebar'),
        clicked: (clickEvent) => {
@@ -158,6 +157,7 @@ export default class MilestoneSelect {
          const isMRIndex = (page === page && page === 'projects:merge_requests:index');
          const isSelecting = (selected.name !== selectedMilestone);
          selectedMilestone = isSelecting ? selected.name : selectedMilestoneDefault;
          if ($dropdown.hasClass('js-filter-bulk-update') || $dropdown.hasClass('js-issuable-form-dropdown')) {
            e.preventDefault();
            return;

--- a/spec/features/issues/form_spec.rb
+++ b/spec/features/issues/form_spec.rb
@@ -226,6 +226,23 @@ describe 'New/edit issue', :js do
      expect(page).to have_selector('.atwho-view')
    end
+    describe 'milestone' do
+      let!(:milestone) { create(:milestone, title: '">&lt;img src=x onerror=alert(document.domain)&gt;', project: project) }
+      it 'escapes milestone' do
+        click_button 'Milestone'
+        page.within '.issue-milestone' do
+          click_link milestone.title
+        end
+        page.within '.js-milestone-select' do
+          expect(page).to have_content milestone.title
+          expect(page).not_to have_selector 'img'
+        end
+      end
+    end
  end
  context 'edit issue' do