Commit 3d4706d8 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '11161-master-broken-related-to-tracing-and-sanitizing' into 'master'

Resolve "Master broken related to tracing and sanitizing"

Closes #11161

See merge request gitlab-org/gitlab-ee!11000
parents acc27dc6 406f9df9
......@@ -10,6 +10,6 @@ class ProjectTracingSetting < ApplicationRecord
private
def sanitize_external_url
self.external_url = ActionController::Base.helpers.sanitize(self.external_url, tags: [])
self.external_url = Rails::Html::FullSanitizer.new.sanitize(self.external_url)
end
end
......@@ -3,7 +3,7 @@
- if project_nav_tab? :settings
= nav_link(controller: :tracings, action: [:show]) do
- if @project.tracing_external_url.present?
= link_to sanitize(@project.tracing_external_url, tags: []), target: "_blank", rel: 'noopener noreferrer' do
= link_to sanitize(@project.tracing_external_url, scrubber: Rails::Html::TextOnlyScrubber.new), target: "_blank", rel: 'noopener noreferrer' do
%span
= _('Tracing')
%i.strong.ml-1.fa.fa-external-link
......
......@@ -9,7 +9,7 @@
= _("Jaeger tracing")
%p
- if has_jaeger_url
- tracing_link = link_to sanitize(@project.tracing_external_url, tags: []), target: "_blank", rel: 'noopener noreferrer' do
- tracing_link = link_to sanitize(@project.tracing_external_url, scrubber: Rails::Html::TextOnlyScrubber.new), target: "_blank", rel: 'noopener noreferrer' do
%span
= _('Tracing')
= sprite_icon('external-link', size: 16, css_class: 'ml-1 vertical-align-middle')
......
......@@ -15,7 +15,7 @@ class SanitizeTracingExternalUrl < ActiveRecord::Migration[4.2]
self.table_name = 'project_tracing_settings'
def sanitize_external_url
self.external_url = ActionController::Base.helpers.sanitize(self.external_url, tags: [])
self.external_url = Rails::Html::FullSanitizer.new.sanitize(self.external_url)
end
end
......
......@@ -13,7 +13,7 @@ describe SanitizeTracingExternalUrl, :migration do
let(:valid_url) { "https://replaceme.com/" }
let(:invalid_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
let(:cleaned_url) { "https://replaceme.com/'>" }
let(:cleaned_url) { "https://replaceme.com/'&gt;" }
before do
namespaces.create(id: 1, name: 'gitlab-org', path: 'gitlab-org')
......
......@@ -29,7 +29,7 @@ describe ProjectTracingSetting do
it 'sanitizes the url' do
tracing_setting.external_url = "https://replaceme.com/'><script>alert(document.cookie)</script>"
expect(tracing_setting).to be_valid
expect(tracing_setting.external_url).to eq("https://replaceme.com/'>")
expect(tracing_setting.external_url).to eq("https://replaceme.com/'&gt;")
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment