Merge branch '11161-master-broken-related-to-tracing-and-sanitizing' into 'master'

Resolve "Master broken related to tracing and sanitizing" Closes #11161 See merge request gitlab-org/gitlab-ee!11000

Merge branch '11161-master-broken-related-to-tracing-and-sanitizing' into 'master'
Resolve "Master broken related to tracing and sanitizing" Closes #11161 See merge request gitlab-org/gitlab-ee!11000
3d4706d8 · Rémy Coutable · acc27dc6 · 406f9df9 · 3d4706d8 · 3d4706d8
Commit 3d4706d8 authored Apr 15, 2019 by Rémy Coutable
6 changed files
--- a/ee/app/models/project_tracing_setting.rb
+++ b/ee/app/models/project_tracing_setting.rb
@@ -10,6 +10,6 @@ class ProjectTracingSetting < ApplicationRecord
  private
  def sanitize_external_url
-    self.external_url = ActionController::Base.helpers.sanitize(self.external_url, tags: [])
+    self.external_url = Rails::Html::FullSanitizer.new.sanitize(self.external_url)
  end
 end
--- a/ee/app/views/layouts/nav/sidebar/_tracing_link.html.haml
+++ b/ee/app/views/layouts/nav/sidebar/_tracing_link.html.haml
@@ -3,7 +3,7 @@
 - if project_nav_tab? :settings
  = nav_link(controller: :tracings, action: [:show]) do
    - if @project.tracing_external_url.present?
-      = link_to sanitize(@project.tracing_external_url, tags: []), target: "_blank", rel: 'noopener noreferrer' do
+      = link_to sanitize(@project.tracing_external_url, scrubber: Rails::Html::TextOnlyScrubber.new), target: "_blank", rel: 'noopener noreferrer' do
        %span
          = _('Tracing')
          %i.strong.ml-1.fa.fa-external-link

--- a/ee/app/views/projects/settings/operations/_tracing.html.haml
+++ b/ee/app/views/projects/settings/operations/_tracing.html.haml
@@ -9,7 +9,7 @@
      = _("Jaeger tracing")
    %p
      - if has_jaeger_url
-        - tracing_link = link_to sanitize(@project.tracing_external_url, tags: []), target: "_blank", rel: 'noopener noreferrer' do
+        - tracing_link = link_to sanitize(@project.tracing_external_url, scrubber: Rails::Html::TextOnlyScrubber.new), target: "_blank", rel: 'noopener noreferrer' do
          %span
            = _('Tracing')
            = sprite_icon('external-link', size: 16, css_class: 'ml-1 vertical-align-middle')

--- a/ee/db/post_migrate/20181116100917_sanitize_tracing_external_url.rb
+++ b/ee/db/post_migrate/20181116100917_sanitize_tracing_external_url.rb
@@ -15,7 +15,7 @@ class SanitizeTracingExternalUrl < ActiveRecord::Migration[4.2]
    self.table_name = 'project_tracing_settings'
    def sanitize_external_url
-      self.external_url = ActionController::Base.helpers.sanitize(self.external_url, tags: [])
+      self.external_url = Rails::Html::FullSanitizer.new.sanitize(self.external_url)
    end
  end

--- a/ee/spec/migrations/sanitize_tracing_external_url_spec.rb
+++ b/ee/spec/migrations/sanitize_tracing_external_url_spec.rb
@@ -13,7 +13,7 @@ describe SanitizeTracingExternalUrl, :migration do
    let(:valid_url) { "https://replaceme.com/" }
    let(:invalid_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
-    let(:cleaned_url) { "https://replaceme.com/'>" }
+    let(:cleaned_url) { "https://replaceme.com/'&gt;" }
    before do
      namespaces.create(id: 1, name: 'gitlab-org', path: 'gitlab-org')

--- a/ee/spec/models/project_tracing_setting_spec.rb
+++ b/ee/spec/models/project_tracing_setting_spec.rb
@@ -29,7 +29,7 @@ describe ProjectTracingSetting do
    it 'sanitizes the url' do
      tracing_setting.external_url = "https://replaceme.com/'><script>alert(document.cookie)</script>"
      expect(tracing_setting).to be_valid
-      expect(tracing_setting.external_url).to eq("https://replaceme.com/'>")
+      expect(tracing_setting.external_url).to eq("https://replaceme.com/'&gt;")
    end
  end
 end