Commit a338954c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'prevent-html-injection' into 'master'

Prevent html injection

Commits page renders commit description with single_format method which allows html tags. So commit message with html tags brokers Commits page. See screenshot

![Screenshot 2014-07-10 11.16.40](https://dev.gitlab.org/uploads/gitlab/gitlabhq/6606e1bac0/Screenshot_2014-07-10_11.16.40.png)

See merge request !959
parents 4fb5a39d 53a8d50b
...@@ -177,10 +177,18 @@ li.commit { ...@@ -177,10 +177,18 @@ li.commit {
.commit-row-description { .commit-row-description {
font-size: 14px; font-size: 14px;
border-left: 1px solid #e5e5e5; border-left: 1px solid #EEE;
padding: 0 15px 0 7px; padding: 10px 15px;
margin: 5px 0 10px 5px; margin: 5px 0 10px 5px;
background: #f9f9f9;
display: none; display: none;
pre {
border: none;
background: inherit;
padding: 0;
margin: 0;
}
} }
.commit-row-info { .commit-row-info {
......
...@@ -22,7 +22,8 @@ ...@@ -22,7 +22,8 @@
- if commit.description? - if commit.description?
.commit-row-description.js-toggle-content .commit-row-description.js-toggle-content
= simple_format(commit.description) %pre
= commit.description
.commit-row-info .commit-row-info
= commit_author_link(commit, avatar: true, size: 16) = commit_author_link(commit, avatar: true, size: 16)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment