Skip to content

G
gitlab-ce
Commit f0ba77b9 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files
Options

Merge branch 'security-fix-xss-on-project-templates' into 'master' 

Fix XSS vulnerability on custom project templates form

Closes #32

See merge request gitlab-org/security/gitlab!111
parents f2094cb0 c2320bd7
Hide whitespace changes
Inline Side-by-side
Showing with 10 additions and 2 deletions
app/assets/javascripts/groups_select.js
View file @ f0ba77b9
import $ from 'jquery';
import axios from './lib/utils/axios_utils';
import Api from './api';
import { escape } from 'lodash';
import { normalizeHeaders } from './lib/utils/common_utils';
import { __ } from '~/locale';
......@@ -75,10 +76,12 @@ const groupsSelect = () => {
}
},
formatResult(object) {
return `<div class='group-result'> <div class='group-name'>${object.full_name}</div> <div class='group-path'>${object.full_path}</div> </div>`;
return `<div class='group-result'> <div class='group-name'>${escape(
object.full_name,
)}</div> <div class='group-path'>${object.full_path}</div> </div>`;
},
formatSelection(object) {
return object.full_name;
return escape(object.full_name);
},
dropdownCssClass: 'ajax-groups-dropdown select2-infinite',
// we do not want to escape markup since we are displaying html in results
......
changelogs/unreleased/security-fix-xss-on-project-templates.yml 0 → 100644
View file @ f0ba77b9
---
title: Fix XSS vulnerability on custom project templates form
merge_request:
author:
type: security
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7