Merge branch 'branch-name-escape' into 'security'

Fix XSS in branches dropdown See merge request !2093

Merge branch 'branch-name-escape' into 'security'
Fix XSS in branches dropdown See merge request !2093
b74683ee · Robert Speicher · Lin Jen-Shin · 28b4d18f · b74683ee · b74683ee
Commit b74683ee authored May 03, 2017 by Robert Speicher Committed by Lin Jen-Shin May 04, 2017
3 changed files
--- a/app/assets/javascripts/gl_dropdown.js
+++ b/app/assets/javascripts/gl_dropdown.js
@@ -581,7 +581,7 @@
        var link = document.createElement('a');

        link.href = url;
-        link.innerHTML = text;
+        link.textContent = text;

        if (selected) {
          link.className = 'is-active';

--- a/changelogs/unreleased/branch-name-escape.yml
+++ b/changelogs/unreleased/branch-name-escape.yml
+---
+title: Fixed branches dropdown rendering branch names as HTML
+merge_request:
+author:
--- a/spec/javascripts/gl_dropdown_spec.js.es6
+++ b/spec/javascripts/gl_dropdown_spec.js.es6
@@ -52,12 +52,8 @@ require('~/lib/utils/url_utility');
        search: {
          fields: ['name']
        },
-        text: (project) => {
-          (project.name_with_namespace || project.name);
-        },
-        id: (project) => {
-          project.id;
-        }
+        text: project => (project.name_with_namespace || project.name),
+        id: project => project.id
      });
    }

@@ -80,6 +76,18 @@ require('~/lib/utils/url_utility');
      expect(this.dropdownContainerElement).toHaveClass('open');
    });

+    it('escapes HTML as text', () => {
+      this.projectsData[0].name_with_namespace = '<script>alert("testing");</script>';
+
+      initDropDown.call(this, false);
+
+      this.dropdownButtonElement.click();
+
+      expect(
+        $('.dropdown-content li:first-child').text(),
+      ).toBe('<script>alert("testing");</script>');
+    });
+
    describe('that is open', () => {
      beforeEach(() => {
        initDropDown.call(this, false, false);