Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
0a59ccac
Commit
0a59ccac
authored
Jul 10, 2018
by
Phil Hughes
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixed XSS in branch name in Web IDE
#2691
parent
1fb0fc3a
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
15 additions
and
1 deletion
+15
-1
app/assets/javascripts/ide/components/commit_sidebar/actions.vue
...ets/javascripts/ide/components/commit_sidebar/actions.vue
+2
-1
changelogs/unreleased/security-ide-branch-name-xss.yml
changelogs/unreleased/security-ide-branch-name-xss.yml
+5
-0
spec/javascripts/ide/components/commit_sidebar/actions_spec.js
...javascripts/ide/components/commit_sidebar/actions_spec.js
+8
-0
No files found.
app/assets/javascripts/ide/components/commit_sidebar/actions.vue
View file @
0a59ccac
<
script
>
<
script
>
import
_
from
'
underscore
'
;
import
{
mapActions
,
mapState
,
mapGetters
}
from
'
vuex
'
;
import
{
mapActions
,
mapState
,
mapGetters
}
from
'
vuex
'
;
import
{
sprintf
,
__
}
from
'
~/locale
'
;
import
{
sprintf
,
__
}
from
'
~/locale
'
;
import
*
as
consts
from
'
../../stores/modules/commit/constants
'
;
import
*
as
consts
from
'
../../stores/modules/commit/constants
'
;
...
@@ -14,7 +15,7 @@ export default {
...
@@ -14,7 +15,7 @@ export default {
commitToCurrentBranchText
()
{
commitToCurrentBranchText
()
{
return
sprintf
(
return
sprintf
(
__
(
'
Commit to %{branchName} branch
'
),
__
(
'
Commit to %{branchName} branch
'
),
{
branchName
:
`<strong class="monospace">
${
this
.
currentBranchId
}
</strong>`
},
{
branchName
:
`<strong class="monospace">
${
_
.
escape
(
this
.
currentBranchId
)
}
</strong>`
},
false
,
false
,
);
);
},
},
...
...
changelogs/unreleased/security-ide-branch-name-xss.yml
0 → 100644
View file @
0a59ccac
---
title
:
Fixed XSS in branch name in Web IDE
merge_request
:
author
:
type
:
security
spec/javascripts/ide/components/commit_sidebar/actions_spec.js
View file @
0a59ccac
...
@@ -46,4 +46,12 @@ describe('IDE commit sidebar actions', () => {
...
@@ -46,4 +46,12 @@ describe('IDE commit sidebar actions', () => {
done
();
done
();
});
});
});
});
describe
(
'
commitToCurrentBranchText
'
,
()
=>
{
it
(
'
escapes current branch
'
,
()
=>
{
vm
.
$store
.
state
.
currentBranchId
=
'
<img src="x" />
'
;
expect
(
vm
.
commitToCurrentBranchText
).
not
.
toContain
(
'
<img src="x" />
'
);
});
});
});
});
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment