Merge branch 'security-55320-stored-xss-in-user-status' into 'master'

[master] Use sanitized user status message in user popover Closes #2786 See merge request gitlab/gitlabhq!2848

Merge branch 'security-55320-stored-xss-in-user-status' into 'master'
[master] Use sanitized user status message in user popover Closes #2786 See merge request gitlab/gitlabhq!2848
8808f1d9 · Tim Zallmann · 61d45d5c · e7aaada2 · 8808f1d9 · 8808f1d9
Commit 8808f1d9 authored Jan 25, 2019 by Tim Zallmann
3 changed files
--- a/app/assets/javascripts/vue_shared/components/user_popover/user_popover.vue
+++ b/app/assets/javascripts/vue_shared/components/user_popover/user_popover.vue
@@ -28,10 +28,10 @@ export default {
  },
  computed: {
    statusHtml() {
-      if (this.user.status.emoji && this.user.status.message) {
-        return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message}`;
-      } else if (this.user.status.message) {
-        return this.user.status.message;
+      if (this.user.status.emoji && this.user.status.message_html) {
+        return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message_html}`;
+      } else if (this.user.status.message_html) {
+        return this.user.status.message_html;
      }
      return '';
    },

--- a/changelogs/unreleased/security-55320-stored-xss-in-user-status.yml
+++ b/changelogs/unreleased/security-55320-stored-xss-in-user-status.yml
+---
+title: Use sanitized user status message for user popover
+merge_request:
+author:
+type: security
--- a/spec/javascripts/vue_shared/components/user_popover/user_popover_spec.js
+++ b/spec/javascripts/vue_shared/components/user_popover/user_popover_spec.js
@@ -122,7 +122,7 @@ describe('User Popover Component', () => {
  describe('status data', () => {
    it('should show only message', () => {
      const testProps = Object.assign({}, DEFAULT_PROPS);
-      testProps.user.status = { message: 'Hello World' };
+      testProps.user.status = { message_html: 'Hello World' };

      vm = mountComponent(UserPopover, {
        ...DEFAULT_PROPS,
@@ -134,12 +134,12 @@ describe('User Popover Component', () => {

    it('should show message and emoji', () => {
      const testProps = Object.assign({}, DEFAULT_PROPS);
-      testProps.user.status = { emoji: 'basketball_player', message: 'Hello World' };
+      testProps.user.status = { emoji: 'basketball_player', message_html: 'Hello World' };

      vm = mountComponent(UserPopover, {
        ...DEFAULT_PROPS,
        target: document.querySelector('.js-user-link'),
-        status: { emoji: 'basketball_player', message: 'Hello World' },
+        status: { emoji: 'basketball_player', message_html: 'Hello World' },
      });

      expect(vm.$el.textContent).toContain('Hello World');