Merge branch 'mr-xss' into 'master'

Escape user-provided content in preserved HAML sections See merge request !1927

Merge branch 'mr-xss' into 'master'
Escape user-provided content in preserved HAML sections See merge request !1927
df1f4433 · Robert Speicher · 86556a07 · 9f31f95a · df1f4433 · df1f4433
Commit df1f4433 authored Sep 08, 2015 by Robert Speicher
3 changed files
--- a/app/views/projects/empty.html.haml
+++ b/app/views/projects/empty.html.haml
@@ -22,15 +22,15 @@
    %h5 Git global setup
    %pre.light-well
      :preserve
-        git config --global user.name "#{git_user_name}"
-        git config --global user.email "#{git_user_email}"
+        git config --global user.name "#{h git_user_name}"
+        git config --global user.email "#{h git_user_email}"

  %fieldset
    %h5 Create a new repository
    %pre.light-well
      :preserve
        git clone #{ content_tag(:span, default_url_to_repo, class: 'clone')}
-        cd #{@project.path}
+        cd #{h @project.path}
        touch README.md
        git add README.md
        git commit -m "add README"

--- a/app/views/projects/merge_requests/show/_how_to_merge.html.haml
+++ b/app/views/projects/merge_requests/show/_how_to_merge.html.haml
@@ -11,12 +11,12 @@
        %pre.dark
          - if @merge_request.for_fork?
            :preserve
-              git fetch #{@merge_request.source_project.http_url_to_repo} #{@merge_request.source_branch}
-              git checkout -b #{@merge_request.source_project_path}-#{@merge_request.source_branch} FETCH_HEAD
+              git fetch #{h @merge_request.source_project.http_url_to_repo} #{h @merge_request.source_branch}
+              git checkout -b #{h @merge_request.source_project_path}-#{h @merge_request.source_branch} FETCH_HEAD
          - else
            :preserve
              git fetch origin
-              git checkout -b #{@merge_request.source_branch} origin/#{@merge_request.source_branch}
+              git checkout -b #{h @merge_request.source_branch} origin/#{h @merge_request.source_branch}
        %p
          %strong Step 2.
          Review the changes locally
@@ -27,18 +27,18 @@
        %pre.dark
          - if @merge_request.for_fork?
            :preserve
-              git checkout #{@merge_request.target_branch}
-              git merge --no-ff #{@merge_request.source_project_path}-#{@merge_request.source_branch}
+              git checkout #{h @merge_request.target_branch}
+              git merge --no-ff #{h @merge_request.source_project_path}-#{h @merge_request.source_branch}
          - else
            :preserve
-              git checkout #{@merge_request.target_branch}
-              git merge --no-ff #{@merge_request.source_branch}
+              git checkout #{h @merge_request.target_branch}
+              git merge --no-ff #{h @merge_request.source_branch}
        %p
          %strong Step 4.
          Push the result of the merge to GitLab
        %pre.dark
          :preserve
-            git push origin #{@merge_request.target_branch}
+            git push origin #{h @merge_request.target_branch}
        - unless @merge_request.can_be_merged_by?(current_user)
          %p
            Note that pushing to GitLab requires write access to this repository.

--- a/app/views/projects/wikis/git_access.html.haml
+++ b/app/views/projects/wikis/git_access.html.haml
@@ -21,7 +21,7 @@
    %pre.dark
      :preserve
        git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
-        cd #{@project_wiki.path}
+        cd #{h @project_wiki.path}

    %legend Start Gollum And Edit Locally:
    %pre.dark