Commit 6daf9677 authored by Robert Speicher's avatar Robert Speicher

Remove persistent XSS vulnerability in `commit_person_link` helper

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948
parent ba0f3b6e
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
v 8.4.9
- Remove persistent XSS vulnerability in `commit_person_link` helper
v 8.4.8 v 8.4.8
- Fix a 2FA authentication spoofing vulnerability. - Fix a 2FA authentication spoofing vulnerability.
......
...@@ -152,7 +152,7 @@ module CommitsHelper ...@@ -152,7 +152,7 @@ module CommitsHelper
options = { options = {
class: "commit-#{options[:source]}-link has_tooltip", class: "commit-#{options[:source]}-link has_tooltip",
data: { :'original-title' => sanitize(source_email) } title: source_email
} }
if user.nil? if user.nil?
......
...@@ -40,7 +40,7 @@ module ProjectsHelper ...@@ -40,7 +40,7 @@ module ProjectsHelper
link_to(author_html, user_path(author), class: "author_link").html_safe link_to(author_html, user_path(author), class: "author_link").html_safe
else else
title = opts[:title].sub(":name", sanitize(author.name)) title = opts[:title].sub(":name", sanitize(author.name))
link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { :'original-title' => title, container: 'body' } ).html_safe link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment