BigW Consortium Gitlab

Skip to content

G
gitlab-ce
Commit e629ec77 by Jacob Schatz Committed by Tiago Botelho
Options

Merge branch 'label-xss-security' into 'security-10-2'

[10.2] Fix XSS in issue label dropdown See merge request gitlab/gitlabhq!2251 (cherry picked from commit df15b14521c46aaad5805ae90aa04739d78eec63) 6d693d09 Fix XSS in issue label dropdown
parent 6ae14819
Showing with 10 additions and 1 deletion
app/assets/javascripts/labels_select.js
......@@ -231,7 +231,7 @@ export default class LabelsSelect {
selectedClass.push('label-item');
$a.attr('data-label-id', label.id);
}
$a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
$a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
// Return generated html
return $li.html($a).prop('outerHTML');
},
......
spec/features/issues/issue_sidebar_spec.rb
......@@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
let(:issue) { create(:issue, project: project) }
let!(:user) { create(:user)}
let!(:label) { create(:label, project: project, title: 'bug') }
let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') }
before do
sign_in(user)
......@@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
restore_window_size
open_issue_sidebar
end
it 'escapes XSS when viewing issue labels' do
page.within('.block.labels') do
find('.edit-link').click
expect(page).to have_content '<script>alert("xss");</script>'
end
end
end
context 'editing issue labels', :js do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment