Commit 90e1f10f authored by John Jarvis's avatar John Jarvis

Merge branch 'security-label-xss' into 'master'

[master] Escape html entities when no label found

See merge request gitlab/gitlabhq!2706
parents a7470017 a1d69ab6
---
title: Escape html entities in LabelReferenceFilter when no label found
merge_request:
author:
type: security
......@@ -29,7 +29,7 @@ module Banzai
if label
yield match, label.id, project, namespace, $~
else
match
escape_html_entities(match)
end
end
end
......@@ -102,6 +102,10 @@ module Banzai
CGI.unescapeHTML(text.to_s)
end
def escape_html_entities(text)
CGI.escapeHTML(text.to_s)
end
def object_link_title(object, matches)
# use title of wrapped element instead
nil
......
......@@ -236,6 +236,24 @@ describe Banzai::Filter::LabelReferenceFilter do
end
end
context 'References with html entities' do
let!(:label) { create(:label, name: '<html>', project: project) }
it 'links to a valid reference' do
doc = reference_filter('See ~"<html>"')
expect(doc.css('a').first.attr('href')).to eq urls
.project_issues_url(project, label_name: label.name)
expect(doc.text).to eq 'See <html>'
end
it 'ignores invalid label names and escapes entities' do
act = %(Label #{Label.reference_prefix}"&lt;non valid&gt;")
expect(reference_filter(act).to_html).to eq act
end
end
describe 'consecutive references' do
let(:bug) { create(:label, name: 'bug', project: project) }
let(:feature_proposal) { create(:label, name: 'feature proposal', project: project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment