app/views · af06431cef89f3c41dd0f682ec2ab7a864c9a0b9 · Forest Godfrey / gitlab-ce

Merge branch 'rs-issue-15126' into 'master' · 60942bf5

authored Apr 19, 2016

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948

60942bf5

Name	Last commit	Last update
..
abuse_report_mailer		Loading commit data...
abuse_reports		Loading commit data...
admin		Loading commit data...
ci		Loading commit data...
dashboard		Loading commit data...
devise		Loading commit data...
doorkeeper		Loading commit data...
email_rejection_mailer		Loading commit data...
emojis		Loading commit data...
errors		Loading commit data...
events		Loading commit data...
explore		Loading commit data...
groups		Loading commit data...
help		Loading commit data...
import		Loading commit data...
invites		Loading commit data...
kaminari/gitlab		Loading commit data...
layouts		Loading commit data...
notify		Loading commit data...
profiles		Loading commit data...
projects		Loading commit data...
repository_check_mailer		Loading commit data...
search		Loading commit data...
shared		Loading commit data...
sherlock		Loading commit data...
snippets		Loading commit data...
users		Loading commit data...
votes		Loading commit data...