Commit 4aad7b5c authored by Douwe Maan's avatar Douwe Maan

Fix XSS issue by not using URI.join

parent 405ee489
......@@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
public_path = project.public_path_for_source_path(path, commit_sha)
return unless public_path
# TODO: Verify this can't be used for XSS
URI.join(external_url, public_path).to_s
[external_url, public_path].join('/')
end
private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment