Fix XSS on custom project templates form

c2320bd7 · Juan Broullon · 594f2c81 · c2320bd7 · c2320bd7
Commit c2320bd7 authored Jan 22, 2020 by Juan Broullon
Showing with 10 additions and 2 deletions

app/assets/javascripts/groups_select.js app/assets/javascripts/groups_select.js +5 -2

changelogs/unreleased/security-fix-xss-on-project-templates.yml ...logs/unreleased/security-fix-xss-on-project-templates.yml +5 -0

No files found.
--- a/app/assets/javascripts/groups_select.js
+++ b/app/assets/javascripts/groups_select.js
 import $ from 'jquery';
 import axios from './lib/utils/axios_utils';
 import Api from './api';
+import { escape } from 'lodash';
 import { normalizeHeaders } from './lib/utils/common_utils';
 import { __ } from '~/locale';

@@ -75,10 +76,12 @@ const groupsSelect = () => {
        }
      },
      formatResult(object) {
-        return `<div class='group-result'> <div class='group-name'>${object.full_name}</div> <div class='group-path'>${object.full_path}</div> </div>`;
+        return `<div class='group-result'> <div class='group-name'>${escape(
+          object.full_name,
+        )}</div> <div class='group-path'>${object.full_path}</div> </div>`;
      },
      formatSelection(object) {
-        return object.full_name;
+        return escape(object.full_name);
      },
      dropdownCssClass: 'ajax-groups-dropdown select2-infinite',
      // we do not want to escape markup since we are displaying html in results

--- a/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+++ b/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+---
+title: Fix XSS vulnerability on custom project templates form
+merge_request:
+author:
+type: security