Escape user names in access dropdowns

9e8d0829 · Phil Hughes · 7701c4ba · 9e8d0829 · 9e8d0829
Commit 9e8d0829 authored May 21, 2018 by Phil Hughes
2 changed files
--- a/ee/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/ee/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -458,7 +458,7 @@ export default class AccessDropdown {
      <li>
        <a href="#" class="${isActiveClass}">
          <img src="${user.avatar_url}" class="avatar avatar-inline" width="30">
-          <strong class="dropdown-menu-user-full-name">${user.name}</strong>
+          <strong class="dropdown-menu-user-full-name">${_.escape(user.name)}</strong>
          <span class="dropdown-menu-user-username">${user.username}</span>
        </a>
      </li>

--- a/spec/javascripts/ee/projects/settings/access_dropdown_spec.js
+++ b/spec/javascripts/ee/projects/settings/access_dropdown_spec.js
@@ -123,4 +123,17 @@ describe('AccessDropdown', () => {
      });
    });
  });
+
+  describe('userRowHtml', () => {
+    it('escapes users name', () => {
+      const user = {
+        avatar_url: '',
+        name: '<img src=x onerror=alert(document.domain)>',
+        username: 'test',
+      };
+      const template = dropdown.userRowHtml(user);
+
+      expect(template).not.toContain(user.name);
+    });
+  });
 });