Escape milestone title in sidebar tooltip

Prevents XSS attack in issue and MR sidebars

Escape milestone title in sidebar tooltip
Prevents XSS attack in issue and MR sidebars
af20fe80 · Heinrich Lee Yu · a6875e5f · af20fe80 · af20fe80 · af20fe80
Commit af20fe80 authored Jul 10, 2020 by Heinrich Lee Yu
3 changed files
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -29,7 +29,7 @@ module IssuablesHelper
  def sidebar_milestone_tooltip_label(milestone)
    return _('Milestone') unless milestone.present?

-    [milestone[:title], sidebar_milestone_remaining_days(milestone) || _('Milestone')].join('<br/>')
+    [escape_once(milestone[:title]), sidebar_milestone_remaining_days(milestone) || _('Milestone')].join('<br/>')
  end

  def sidebar_milestone_remaining_days(milestone)

--- a/changelogs/unreleased/security-fix-xss-in-milestone-tooltip.yml
+++ b/changelogs/unreleased/security-fix-xss-in-milestone-tooltip.yml
+---
+title: Fix XSS in milestone tooltips
+merge_request:
+author:
+type: security
--- a/spec/helpers/issuables_helper_spec.rb
+++ b/spec/helpers/issuables_helper_spec.rb
@@ -327,4 +327,12 @@ RSpec.describe IssuablesHelper do
      end
    end
  end
+
+  describe '#sidebar_milestone_tooltip_label' do
+    it 'escapes HTML in the milestone title' do
+      milestone = build(:milestone, title: '&lt;img onerror=alert(1)&gt;')
+
+      expect(helper.sidebar_milestone_tooltip_label(milestone)).to eq('&lt;img onerror=alert(1)&gt;<br/>Milestone')
+    end
+  end
 end