Prevent html injection on commits page by commit message

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Prevent html injection on commits page by commit message
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
53a8d50b · Dmitriy Zaporozhets · 4fb5a39d · 53a8d50b · 53a8d50b
Commit 53a8d50b authored Jul 10, 2014 by Dmitriy Zaporozhets
Showing with 12 additions and 3 deletions

app/assets/stylesheets/sections/commits.scss app/assets/stylesheets/sections/commits.scss +10 -2

app/views/projects/commits/_commit.html.haml app/views/projects/commits/_commit.html.haml +2 -1

No files found.
--- a/app/assets/stylesheets/sections/commits.scss
+++ b/app/assets/stylesheets/sections/commits.scss
@@ -177,10 +177,18 @@ li.commit {

  .commit-row-description {
    font-size: 14px;
-    border-left: 1px solid #e5e5e5;
-    padding: 0 15px 0 7px;
+    border-left: 1px solid #EEE;
+    padding: 10px 15px;
    margin: 5px 0 10px 5px;
+    background: #f9f9f9;
    display: none;
+
+    pre {
+      border: none;
+      background: inherit;
+      padding: 0;
+      margin: 0;
+    }
  }

  .commit-row-info {

--- a/app/views/projects/commits/_commit.html.haml
+++ b/app/views/projects/commits/_commit.html.haml
@@ -22,7 +22,8 @@

  - if commit.description?
    .commit-row-description.js-toggle-content
-      = simple_format(commit.description)
+      %pre
+        = commit.description

  .commit-row-info
    = commit_author_link(commit, avatar: true, size: 16)