Merge branch 'label-xss-10-3' into 'security-10-3'

[10.3] Fix XSS in issue label dropdown See merge request gitlab/gitlabhq!2253 (cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360) ea1fb0ea Fix XSS in issue label dropdown

Merge branch 'label-xss-10-3' into 'security-10-3'
6846b70d · Jacob Schatz · Stan Hu · 72a57525 · 6846b70d · 6846b70d
Commit 6846b70d authored Dec 15, 2017 by Jacob Schatz Committed by Stan Hu Jan 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

labels_select.js app/assets/javascripts/labels_select.js +1 -1

issue_sidebar_spec.rb spec/features/issues/issue_sidebar_spec.rb +9 -0

No files found.
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -231,7 +231,7 @@ export default class LabelsSelect {
            selectedClass.push('label-item');
            $a.attr('data-label-id', label.id);
          }
-          $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
+          $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
          // Return generated html
          return $li.html($a).prop('outerHTML');
        },

--- a/spec/features/issues/issue_sidebar_spec.rb
+++ b/spec/features/issues/issue_sidebar_spec.rb
@@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
  let(:issue) { create(:issue, project: project) }
  let!(:user) { create(:user)}
  let!(:label) { create(:label, project: project, title: 'bug') }
+  let!(:xss_label) { create(:label, project: project, title: '&lt;script&gt;alert("xss");&lt;&#x2F;script&gt;') }
  before do
    sign_in(user)
@@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
        restore_window_size
        open_issue_sidebar
      end
+      it 'escapes XSS when viewing issue labels' do
+        page.within('.block.labels') do
+          find('.edit-link').click
+          expect(page).to have_content '<script>alert("xss");</script>'
+        end
+      end
    end
    context 'editing issue labels', :js do