Merge branch 'winh-search-bar-xss-9.5' into 'security-9-5'

Escape user name in filtered search bar See merge request gitlab/gitlabhq!2195

Merge branch 'winh-search-bar-xss-9.5' into 'security-9-5'
31a79544 · Phil Hughes · 80ef42d6 · 18eaac2f · 31a79544 · 31a79544
Commit 31a79544 authored Sep 26, 2017 by Phil Hughes
3 changed files
--- a/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js
+++ b/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js
@@ -123,8 +123,8 @@ class FilteredSearchVisualTokens {
        /* eslint-disable no-param-reassign */
        tokenValueContainer.dataset.originalValue = tokenValue;
        tokenValueElement.innerHTML = `
-          <img class="avatar s20" src="${user.avatar_url}" alt="${user.name}'s avatar">
-          ${user.name}
+          <img class="avatar s20" src="${user.avatar_url}" alt="">
+          ${_.escape(user.name)}
        `;
        /* eslint-enable no-param-reassign */
      })

--- a/changelogs/unreleased/winh-search-bar-xss-9-5.yml
+++ b/changelogs/unreleased/winh-search-bar-xss-9-5.yml
+---
+title: Escape user name in filtered search bar
+merge_request:
+author:
--- a/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js
+++ b/spec/javascripts/filtered_search/filtered_search_visual_tokens_spec.js
@@ -791,6 +791,29 @@ describe('Filtered Search Visual Tokens', () => {
        expect(tokenValueElement.innerText.trim()).toBe(dummyUser.name);
        const avatar = tokenValueElement.querySelector('img.avatar');
        expect(avatar.src).toBe(dummyUser.avatar_url);
+        expect(avatar.alt).toBe('');
+      })
+      .then(done)
+      .catch(done.fail);
+    });
+
+    it('escapes user name when creating token', (done) => {
+      const dummyUser = {
+        name: '<script>',
+        avatar_url: `${gl.TEST_HOST}/mypics/avatar.png`,
+      };
+      const { tokenValueContainer, tokenValueElement } = findElements(authorToken);
+      const tokenValue = tokenValueElement.innerText;
+      usersCacheSpy = (username) => {
+        expect(`@${username}`).toBe(tokenValue);
+        return Promise.resolve(dummyUser);
+      };
+
+      subject.updateUserTokenAppearance(tokenValueContainer, tokenValueElement, tokenValue)
+      .then(() => {
+        expect(tokenValueElement.innerText.trim()).toBe(dummyUser.name);
+        tokenValueElement.querySelector('.avatar').remove();
+        expect(tokenValueElement.innerHTML.trim()).toBe(_.escape(dummyUser.name));
      })
      .then(done)
      .catch(done.fail);