Commit ad9898c4 authored by Markus Koller's avatar Markus Koller

HTML-escape search term in empty message

parent aa175994
...@@ -79,7 +79,7 @@ module SearchHelper ...@@ -79,7 +79,7 @@ module SearchHelper
def search_entries_empty_message(scope, term) def search_entries_empty_message(scope, term)
(s_("SearchResults|We couldn't find any %{scope} matching %{term}") % { (s_("SearchResults|We couldn't find any %{scope} matching %{term}") % {
scope: search_entries_scope_label(scope, 0), scope: search_entries_scope_label(scope, 0),
term: "<code>#{term}</code>" term: "<code>#{h(term)}</code>"
}).html_safe }).html_safe
end end
......
---
title: HTML-escape search term in empty message
merge_request: 18319
author:
type: security
...@@ -142,9 +142,9 @@ describe SearchHelper do ...@@ -142,9 +142,9 @@ describe SearchHelper do
describe 'search_entries_empty_message' do describe 'search_entries_empty_message' do
it 'returns the formatted entry message' do it 'returns the formatted entry message' do
message = search_entries_empty_message('projects', 'foo') message = search_entries_empty_message('projects', '<h1>foo</h1>')
expect(message).to eq("We couldn't find any projects matching <code>foo</code>") expect(message).to eq("We couldn't find any projects matching <code>&lt;h1&gt;foo&lt;/h1&gt;</code>")
expect(message).to be_html_safe expect(message).to be_html_safe
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment