Merge branch 'rs-label-xss' into 'master'

Remove XSS vulnerability in Label and Milestone dropdowns Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15389 See merge request !1951

Merge branch 'rs-label-xss' into 'master'
Remove XSS vulnerability in Label and Milestone dropdowns Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15389 See merge request !1951
33a483e7 · Jacob Schatz · 55380e69 · 8de18d41 · 33a483e7 · 33a483e7
Commit 33a483e7 authored Apr 19, 2016 by Jacob Schatz
Showing with 7 additions and 7 deletions

app/assets/javascripts/labels_select.js.coffee app/assets/javascripts/labels_select.js.coffee +5 -5

app/assets/javascripts/milestone_select.js.coffee app/assets/javascripts/milestone_select.js.coffee +2 -2

No files found.
--- a/app/assets/javascripts/labels_select.js.coffee
+++ b/app/assets/javascripts/labels_select.js.coffee
@@ -33,13 +33,13 @@ class @LabelsSelect
      if issueUpdateURL
        labelHTMLTemplate = _.template(
            '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= label.title %>">
-            <span class="label has-tooltip color-label" title="<%= label.description %>" style="background-color: <%= label.color %>;">
-            <%= label.title %>
+            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= _.escape(label.title) %>">
+            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>;">
+            <%= _.escape(label.title) %>
            </span>
            </a>
            <% }); %>'
-        );
+        )
        labelNoneHTMLTemplate = _.template('<div class="light">None</div>')

      if newLabelField.length and $dropdown.hasClass 'js-extra-options'
@@ -211,7 +211,7 @@ class @LabelsSelect
          "<li>
            <a href='#' class='#{selectedClass}'>
              #{color}
-              #{label.title}
+              #{_.escape(label.title)}
            </a>
          </li>"
        filterable: true

--- a/app/assets/javascripts/milestone_select.js.coffee
+++ b/app/assets/javascripts/milestone_select.js.coffee
@@ -24,7 +24,7 @@ class @MilestoneSelect

      if issueUpdateURL
        milestoneLinkTemplate = _.template(
-          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= title %></a>'
+          '<a href="/<%= namespace %>/<%= path %>/milestones/<%= iid %>"><%= _.escape(title) %></a>'
        )

        milestoneLinkNoneTemplate = '<div class="light">None</div>'
@@ -71,7 +71,7 @@ class @MilestoneSelect
            defaultLabel
        fieldName: $dropdown.data('field-name')
        text: (milestone) ->
-          milestone.title
+          _.escape(milestone.title)
        id: (milestone) ->
          if !useId
            milestone.name