Merge branch 'prevent-html-injection' into 'master'

Prevent html injection Commits page renders commit description with single_format method which allows html tags. So commit message with html tags brokers Commits page. See screenshot ![Screenshot 2014-07-10 11.16.40](https://dev.gitlab.org/uploads/gitlab/gitlabhq/6606e1bac0/Screenshot_2014-07-10_11.16.40.png) See merge request !959

Merge branch 'prevent-html-injection' into 'master'
Prevent html injection Commits page renders commit description with single_format method which allows html tags. So commit message with html tags brokers Commits page. See screenshot ![Screenshot 2014-07-10 11.16.40](https://dev.gitlab.org/uploads/gitlab/gitlabhq/6606e1bac0/Screenshot_2014-07-10_11.16.40.png) See merge request !959
a338954c · Dmitriy Zaporozhets · 4fb5a39d · 53a8d50b · a338954c · a338954c
Commit a338954c authored Jul 10, 2014 by Dmitriy Zaporozhets
Showing with 12 additions and 3 deletions

app/assets/stylesheets/sections/commits.scss app/assets/stylesheets/sections/commits.scss +10 -2

app/views/projects/commits/_commit.html.haml app/views/projects/commits/_commit.html.haml +2 -1

No files found.
--- a/app/assets/stylesheets/sections/commits.scss
+++ b/app/assets/stylesheets/sections/commits.scss
@@ -177,10 +177,18 @@ li.commit {

  .commit-row-description {
    font-size: 14px;
-    border-left: 1px solid #e5e5e5;
-    padding: 0 15px 0 7px;
+    border-left: 1px solid #EEE;
+    padding: 10px 15px;
    margin: 5px 0 10px 5px;
+    background: #f9f9f9;
    display: none;
+
+    pre {
+      border: none;
+      background: inherit;
+      padding: 0;
+      margin: 0;
+    }
  }

  .commit-row-info {

--- a/app/views/projects/commits/_commit.html.haml
+++ b/app/views/projects/commits/_commit.html.haml
@@ -22,7 +22,8 @@

  - if commit.description?
    .commit-row-description.js-toggle-content
-      = simple_format(commit.description)
+      %pre
+        = commit.description

  .commit-row-info
    = commit_author_link(commit, avatar: true, size: 16)