-
Douwe Maan authored
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
2c9cd67f
To find the state of this project's repository at the time of any of these versions, check out
the tags.