• Drew Blessing's avatar
    Prevent XSS in group name validations · 63d16c58
    Drew Blessing authored
    GitLab currently uses a regex to validate group names.
    It has proved difficult to prevent XSS problems. In trying to
    chase XSS issues we've tightened the regex and don't allow
    some completely benign characters on their own, such as
    parentheses. This results in a worse user experience and may not
    really protect from XSS. Instead, this now uses the
    Rails::Html::FullSanitizer to validate group names.
    63d16c58
subscriptions_controller_spec.rb 6.58 KB