HTML-escape search term in empty message

ad9898c4 · Markus Koller · aa175994 · ad9898c4 · ad9898c4 · ad9898c4
Commit ad9898c4 authored Oct 09, 2019 by Markus Koller
3 changed files
--- a/app/helpers/search_helper.rb
+++ b/app/helpers/search_helper.rb
@@ -79,7 +79,7 @@ module SearchHelper
  def search_entries_empty_message(scope, term)
    (s_("SearchResults|We couldn't find any %{scope} matching %{term}") % {
      scope: search_entries_scope_label(scope, 0),
-      term: "<code>#{term}</code>"
+      term: "<code>#{h(term)}</code>"
    }).html_safe
  end


--- a/changelogs/unreleased/33668-fix-search-term-xss.yml
+++ b/changelogs/unreleased/33668-fix-search-term-xss.yml
+---
+title: HTML-escape search term in empty message
+merge_request: 18319
+author:
+type: security
--- a/spec/helpers/search_helper_spec.rb
+++ b/spec/helpers/search_helper_spec.rb
@@ -142,9 +142,9 @@ describe SearchHelper do

  describe 'search_entries_empty_message' do
    it 'returns the formatted entry message' do
-      message = search_entries_empty_message('projects', 'foo')
+      message = search_entries_empty_message('projects', '<h1>foo</h1>')

-      expect(message).to eq("We couldn't find any projects matching <code>foo</code>")
+      expect(message).to eq("We couldn't find any projects matching <code>&lt;h1&gt;foo&lt;/h1&gt;</code>")
      expect(message).to be_html_safe
    end
  end