Merge branch 'djadmin-fix-custom-emoji' into 'master'

Use tag helper to generate custom emojis

See merge request gitlab-org/gitlab!63275

lib/gitlab/emoji.rb

@@ -41,7 +41,17 @@ module Gitlab
     end
 
     def emoji_image_tag(name, src)
-      "<img class='emoji' title=':#{name}:' alt=':#{name}:' src='#{src}' height='20' width='20' align='absmiddle' />"
+      image_options = {
+        class:  'emoji',
+        src:    src,
+        title:  ":#{name}:",
+        alt:    ":#{name}:",
+        height: 20,
+        width:  20,
+        align:  'absmiddle'
+      }
+
+      ActionController::Base.helpers.tag(:img, image_options)
     end
 
     def emoji_exists?(name)

spec/lib/gitlab/emoji_spec.rb

@@ -91,7 +91,16 @@ RSpec.describe Gitlab::Emoji do
     it 'returns emoji image tag' do
       emoji_image = described_class.emoji_image_tag('emoji_one', 'src_url')
 
-      expect(emoji_image).to eq( "<img class='emoji' title=':emoji_one:' alt=':emoji_one:' src='src_url' height='20' width='20' align='absmiddle' />")
+      expect(emoji_image).to eq("<img class=\"emoji\" src=\"src_url\" title=\":emoji_one:\" alt=\":emoji_one:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
+    end
+
+    it 'escapes emoji image attrs to prevent XSS' do
+      xss_payload = "<script>alert(1)</script>"
+      escaped_xss_payload = html_escape(xss_payload)
+
+      emoji_image = described_class.emoji_image_tag(xss_payload, 'http://aaa#' + xss_payload)
+
+      expect(emoji_image).to eq("<img class=\"emoji\" src=\"http://aaa##{escaped_xss_payload}\" title=\":#{escaped_xss_payload}:\" alt=\":#{escaped_xss_payload}:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
     end
   end