Merge remote-tracking branch 'dev/master'

cb30eaf4 · Alessio Caiazza · 9bf26835 · eaae2461 · cb30eaf4 · cb30eaf4
Commit cb30eaf4 authored Jun 25, 2018 by Alessio Caiazza
5 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.
+## 11.0.1 (2018-06-21)
+- No changes.
 ## 11.0.0 (2018-06-22)
 ### Security (2 changes)
@@ -71,6 +75,10 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Allow viewing only one when multiple issue boards is not enabled.
+## 10.8.5 (2018-06-21)
+- No changes.
 ## 10.8.4 (2018-06-06)
 ### Fixed (4 changes)
@@ -191,6 +199,10 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Remove `features/group_active_tab.feature`. !5554 (@blackst0ne)
+## 10.7.6 (2018-06-21)
+- No changes.
 ## 10.7.5 (2018-05-28)
 ### Security (3 changes)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,17 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 11.0.1 (2018-06-21)
+### Security (5 changes)
+- Fix XSS vulnerability for table of content generation.
+- Update sanitize gem to 4.6.5 to fix HTML injection vulnerability.
+- HTML escape branch name in project graphs page.
+- HTML escape the name of the user in ProjectsHelper#link_to_member.
+- Don't show events from internal projects for anonymous users in public feed.
 ## 11.0.0 (2018-06-22)
 ### Security (3 changes)
@@ -242,6 +253,17 @@ entry.
 - Workhorse to send raw diff and patch for commits.
+## 10.8.5 (2018-06-21)
+### Security (5 changes)
+- Fix XSS vulnerability for table of content generation.
+- Update sanitize gem to 4.6.5 to fix HTML injection vulnerability.
+- HTML escape branch name in project graphs page.
+- HTML escape the name of the user in ProjectsHelper#link_to_member.
+- Don't show events from internal projects for anonymous users in public feed.
 ## 10.8.4 (2018-06-06)
 - No changes.
@@ -460,6 +482,22 @@ entry.
 - Gitaly handles repository forks by default.
+## 10.7.6 (2018-06-21)
+### Security (6 changes)
+- Fix XSS vulnerability for table of content generation.
+- Update sanitize gem to 4.6.5 to fix HTML injection vulnerability.
+- HTML escape branch name in project graphs page.
+- HTML escape the name of the user in ProjectsHelper#link_to_member.
+- Don't show events from internal projects for anonymous users in public feed.
+- XSS fix to use safe_params instead of params in url_for helpers.
+### Other (1 change)
+- Replacing gollum libraries for gitlab custom libs. !18343
 ## 10.7.5 (2018-05-28)
 ### Security (3 changes)

--- a/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml
+++ b/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml
+---
+title: Fix XSS vulnerability for table of content generation
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/table_of_contents_filter.rb
+++ b/lib/banzai/filter/table_of_contents_filter.rb
@@ -92,7 +92,7 @@ module Banzai
        def text
          return '' unless node
-          @text ||= node.text
+          @text ||= EscapeUtils.escape_html(node.text)
        end
        private

--- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
+++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
@@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do
        expect(items[5].ancestors).to include(items[4])
      end
    end
+    context 'header text contains escaped content' do
+      let(:content) { '&lt;img src="x" onerror="alert(42)"&gt;' }
+      let(:results) { result(header(1, content)) }
+      it 'outputs escaped content' do
+        expect(doc.inner_html).to include(content)
+      end
+    end
  end
 end