Remove XSS vulnerability in Label and Milestone dropdowns

b6e8aca9 · Robert Speicher · 70ada081 · b6e8aca9 · b6e8aca9 · b6e8aca9
Commit b6e8aca9 authored Apr 19, 2016 by Robert Speicher
3 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 8.6.7
  - Fix persistent XSS vulnerability in `commit_person_link` helper
+  - Fix persistent XSS vulnerability in Label and Milestone dropdowns
  - Fix vulnerability that made it possible to enumerate private projects belonging to group
 v 8.6.6

--- a/app/assets/javascripts/labels_select.js.coffee
+++ b/app/assets/javascripts/labels_select.js.coffee
@@ -126,7 +126,7 @@ class @LabelsSelect
          "<li>
            <a href='#' class='#{selected}'>
              #{color}
-              #{label.title}
+              #{_.escape(label.title)}
            </a>
          </li>"
        filterable: true

--- a/app/assets/javascripts/milestone_select.js.coffee
+++ b/app/assets/javascripts/milestone_select.js.coffee
@@ -53,7 +53,7 @@ class @MilestoneSelect
            defaultLabel
        fieldName: $dropdown.data('field-name')
        text: (milestone) ->
-          milestone.title
+          _.escape(milestone.title)
        id: (milestone) ->
          if !useId
            milestone.name