Remove persistent XSS vulnerability in `commit_person_link` helper

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948

Remove persistent XSS vulnerability in `commit_person_link` helper
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948
5ac95d0f · Robert Speicher · c0031290 · 5ac95d0f · 5ac95d0f · 5ac95d0f
Commit 5ac95d0f authored Apr 19, 2016 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

CHANGELOG CHANGELOG +3 -0

app/helpers/commits_helper.rb app/helpers/commits_helper.rb +1 -1

app/helpers/projects_helper.rb app/helpers/projects_helper.rb +1 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.
+v 8.3.8
+  - Remove persistent XSS vulnerability in `commit_person_link` helper
 v 8.3.7
  - Fix a 2FA authentication spoofing vulnerability.

--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -152,7 +152,7 @@ module CommitsHelper
    options = {
      class: "commit-#{options[:source]}-link has_tooltip",
-      data: { :'original-title' => sanitize(source_email) }
+      title: source_email
    }
    if user.nil?

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -40,7 +40,7 @@ module ProjectsHelper
      link_to(author_html, user_path(author), class: "author_link").html_safe
    else
      title = opts[:title].sub(":name", sanitize(author.name))
-      link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { :'original-title' => title, container: 'body' } ).html_safe
+      link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
    end
  end