Fix for hamlit filter XSS in project import

678a39d5 · Brian Neel · 47dee0f5 · 678a39d5 · 678a39d5 · 678a39d5
Commit 678a39d5 authored Apr 26, 2017 by Brian Neel
Showing with 3 additions and 3 deletions

create.js.haml app/views/import/base/create.js.haml +1 -1

new.html.haml app/views/projects/imports/new.html.haml +1 -1

git_access.html.haml app/views/projects/wikis/git_access.html.haml +1 -1

No files found.
--- a/app/views/import/base/create.js.haml
+++ b/app/views/import/base/create.js.haml
@@ -10,4 +10,4 @@
 - else
  :plain
    job = $("tr#repo_#{@repo_id}")
-    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(@project.errors.full_messages.join(','))}")
+    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(h(@project.errors.full_messages.join(',')))}")
--- a/app/views/projects/imports/new.html.haml
+++ b/app/views/projects/imports/new.html.haml
@@ -10,7 +10,7 @@
    .panel-body
      %pre
        :preserve
-          #{sanitize_repo_path(@project, @project.import_error)}
+          #{h(sanitize_repo_path(@project, @project.import_error))}

 = form_for @project, url: namespace_project_import_path(@project.namespace, @project), method: :post, html: { class: 'form-horizontal' } do |f|
  = render "shared/import_form", f: f

--- a/app/views/projects/wikis/git_access.html.haml
+++ b/app/views/projects/wikis/git_access.html.haml
@@ -28,7 +28,7 @@
    %h3 Clone your wiki
    %pre.dark
      :preserve
-        git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
+        git clone #{ content_tag(:span, h(default_url_to_repo(@project_wiki)), class: 'clone')}
        cd #{h @project_wiki.path}

    %h3 Start Gollum and edit locally