Commit 824db287 authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-mr-approvers-xss' into 'master'

[master] Fixed XSS in merge request approvers

Closes #353

See merge request gitlab/gitlab-ee!662
parents 6d0c6141 f5ec6289
...@@ -114,7 +114,7 @@ export default class ApproversSelect { ...@@ -114,7 +114,7 @@ export default class ApproversSelect {
} }
static formatSelection(group) { static formatSelection(group) {
return group.full_name || group.name; return _.escape(group.full_name || group.name);
} }
static formatResult({ static formatResult({
......
---
title: Fixes XSS with merge request approvers selection
merge_request:
author:
type: security
...@@ -59,4 +59,22 @@ describe('ApproversSelect', () => { ...@@ -59,4 +59,22 @@ describe('ApproversSelect', () => {
expect(output).not.toContain('<script>alert("testing")</script>'); expect(output).not.toContain('<script>alert("testing")</script>');
}); });
}); });
describe('formatSelection', () => {
it('escapes full name', () => {
expect(
ApproversSelect.formatSelection({
full_name: '<script>alert("testing")</script>',
}),
).not.toBe('<script>alert("testing")</script>');
});
it('escapes name', () => {
expect(
ApproversSelect.formatSelection({
name: '<script>alert("testing")</script>',
}),
).not.toBe('<script>alert("testing")</script>');
});
});
}); });
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment