Add html escaping for default branch name

This escapes html chars for default branch name value in initializing repository instructions This is to prevent XSS vulnerability Changelog: security

Add html escaping for default branch name
This escapes html chars for default branch name value in initializing repository instructions This is to prevent XSS vulnerability Changelog: security
dbdc999e · Dheeraj Joshi · 5912f3de · dbdc999e
Commit dbdc999e authored Jul 29, 2021 by Dheeraj Joshi
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

app/views/projects/empty.html.haml app/views/projects/empty.html.haml +4 -4

No files found.
--- a/app/views/projects/empty.html.haml
+++ b/app/views/projects/empty.html.haml
@@ -44,26 +44,26 @@
          :preserve
            git clone #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
            cd #{h @project.path}
-            git switch -c #{default_branch_name}
+            git switch -c #{h default_branch_name}
            touch README.md
            git add README.md
            git commit -m "add README"
          - if @project.can_current_user_push_to_default_branch?
            %span><
-              git push -u origin #{ default_branch_name }
+              git push -u origin #{h default_branch_name }

      %fieldset
        %h5= _('Push an existing folder')
        %pre.bg-light
          :preserve
            cd existing_folder
-            git init --initial-branch=#{default_branch_name}
+            git init --initial-branch=#{h default_branch_name}
            git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'js-clone')}
            git add .
            git commit -m "Initial commit"
          - if @project.can_current_user_push_to_default_branch?
            %span><
-              git push -u origin #{ default_branch_name }
+              git push -u origin #{h default_branch_name }

      %fieldset
        %h5= _('Push an existing Git repository')