Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
1fbf6f18
Commit
1fbf6f18
authored
Jun 15, 2018
by
Imre Farkas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
HTML escape the name of the user in ProjectsHelper#link_to_member
parent
a8445cc2
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
15 additions
and
2 deletions
+15
-2
app/helpers/projects_helper.rb
app/helpers/projects_helper.rb
+2
-1
changelogs/unreleased/security-html_escape_usernames.yml
changelogs/unreleased/security-html_escape_usernames.yml
+5
-0
spec/helpers/projects_helper_spec.rb
spec/helpers/projects_helper_spec.rb
+8
-1
No files found.
app/helpers/projects_helper.rb
View file @
1fbf6f18
...
...
@@ -40,7 +40,8 @@ module ProjectsHelper
name_tag_options
[
:class
]
<<
'has-tooltip'
end
content_tag
(
:span
,
sanitize
(
username
),
name_tag_options
)
# NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username
content_tag
(
:span
,
username
,
name_tag_options
)
end
def
link_to_member
(
project
,
author
,
opts
=
{},
&
block
)
...
...
changelogs/unreleased/security-html_escape_usernames.yml
0 → 100644
View file @
1fbf6f18
---
title
:
HTML escape the name of the user in ProjectsHelper#link_to_member
merge_request
:
author
:
type
:
security
spec/helpers/projects_helper_spec.rb
View file @
1fbf6f18
...
...
@@ -248,7 +248,7 @@ describe ProjectsHelper do
describe
'#link_to_member'
do
let
(
:group
)
{
build_stubbed
(
:group
)
}
let
(
:project
)
{
build_stubbed
(
:project
,
group:
group
)
}
let
(
:user
)
{
build_stubbed
(
:user
)
}
let
(
:user
)
{
build_stubbed
(
:user
,
name:
'<h1>Administrator</h1>'
)
}
describe
'using the default options'
do
it
'returns an HTML link to the user'
do
...
...
@@ -256,6 +256,13 @@ describe ProjectsHelper do
expect
(
link
).
to
match
(
%r{/
#{
user
.
username
}
}
)
end
it
'HTML escapes the name of the user'
do
link
=
helper
.
link_to_member
(
project
,
user
)
expect
(
link
).
to
include
(
ERB
::
Util
.
html_escape
(
user
.
name
))
expect
(
link
).
not_to
include
(
user
.
name
)
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment