Correctly escape wiki commit message characters

https://gitlab.com/gitlab-org/gitlab/issues/35478

Correctly escape wiki commit message characters
https://gitlab.com/gitlab-org/gitlab/issues/35478
7f25701b · Luke Duncalfe · Natalia Tepluhina · a15388de · 7f25701b · 7f25701b
Commit 7f25701b authored Jan 30, 2020 by Luke Duncalfe Committed by Natalia Tepluhina Jan 30, 2020
4 changed files
--- a/app/assets/javascripts/pages/projects/wikis/wikis.js
+++ b/app/assets/javascripts/pages/projects/wikis/wikis.js
@@ -40,7 +40,7 @@ export default class Wikis {
    // Replace hyphens with spaces
    if (title) title = title.replace(/-+/g, ' ');

-    const newCommitMessage = sprintf(this.commitMessageI18n, { pageTitle: title });
+    const newCommitMessage = sprintf(this.commitMessageI18n, { pageTitle: title }, false);
    this.commitMessageInput.value = newCommitMessage;
  }


--- a/changelogs/unreleased/21371-auto-generated-wiki-commit-message-having-html-encoded-entities.yml
+++ b/changelogs/unreleased/21371-auto-generated-wiki-commit-message-having-html-encoded-entities.yml
+---
+title: Auto generated wiki commit message containing HTML encoded entities
+merge_request: 21371
+author: 2knal
+type: other
--- a/spec/features/projects/wiki/user_updates_wiki_page_spec.rb
+++ b/spec/features/projects/wiki/user_updates_wiki_page_spec.rb
@@ -83,15 +83,15 @@ describe 'User updates wiki page' do
      end

      it 'updates the commit message as the title is changed', :js do
-        fill_in(:wiki_title, with: 'Wiki title')
+        fill_in(:wiki_title, with: '& < > \ \ { } &')

-        expect(page).to have_field('wiki[message]', with: 'Update Wiki title')
+        expect(page).to have_field('wiki[message]', with: 'Update & < > \ \ { } &')
      end

-      it 'does not allow XSS', :js do
-        fill_in(:wiki_title, with: '<script>')
+      it 'correctly escapes the commit message entities', :js do
+        fill_in(:wiki_title, with: 'Wiki title')

-        expect(page).to have_field('wiki[message]', with: 'Update &lt;script&gt;')
+        expect(page).to have_field('wiki[message]', with: 'Update Wiki title')
      end

      it 'shows a validation error message' do

--- a/spec/features/projects/wiki/user_views_wiki_page_spec.rb
+++ b/spec/features/projects/wiki/user_views_wiki_page_spec.rb
@@ -129,6 +129,18 @@ describe 'User views a wiki page' do
    end
  end

+  context 'when a page has XSS in its message' do
+    before do
+      wiki_page.update(message: '<script>alert(true)<script>', content: 'XSS update')
+    end
+
+    it 'safely displays the message' do
+      visit(project_wiki_history_path(project, wiki_page))
+
+      expect(page).to have_content('<script>alert(true)<script>')
+    end
+  end
+
  context 'when page has invalid content encoding' do
    let(:content) { (+'whatever').force_encoding('ISO-8859-1') }