Merge branch 'fix-comment-reflection-9-3' into 'security-9-3'

Fix Live Comment XSS Vulnerability for 9.3

See merge request gitlab/gitlabhq!2190

2 files changed, 37 insertions, 20 deletions

diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js
index 9b68584492d..b25911f68db 100644
--- a/app/assets/javascripts/notes.js
+++ b/app/assets/javascripts/notes.js
@@ -1275,31 +1275,34 @@ const normalizeNewlines = function(str) {
       const discussionClass = isDiscussionNote ? 'discussion' : '';
       const $tempNote = $(
         `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry">
-           <div class="timeline-entry-inner">
-              <div class="timeline-icon">
-                 <a href="/${currentUsername}">
-                   <img class="avatar s40" src="${currentUserAvatar}">
-                 </a>
+          <div class="timeline-entry-inner">
+            <div class="timeline-icon">
+              <a href="/${_.escape(currentUsername)}">
+                <img class="avatar s40" src="${currentUserAvatar}" />
+              </a>
+            </div>
+            <div class="timeline-content ${discussionClass}">
+              <div class="note-header">
+                <div class="note-header-info">
+                  <a href="/${_.escape(currentUsername)}">
+                    <span class="hidden-xs">${_.escape(currentUsername)}</span>
+                    <span class="note-headline-light">${_.escape(currentUsername)}</span>
+                  </a>
+                </div>
               </div>
-              <div class="timeline-content ${discussionClass}">
-                 <div class="note-header">
-                    <div class="note-header-info">
-                       <a href="/${currentUsername}">
-                         <span class="hidden-xs">${currentUserFullname}</span>
-                         <span class="note-headline-light">@${currentUsername}</span>
-                       </a>
-                    </div>
-                 </div>
-                 <div class="note-body">
-                   <div class="note-text">
-                     <p>${formContent}</p>
-                   </div>
-                 </div>
+              <div class="note-body">
+                <div class="note-text">
+                  <p>${formContent}</p>
+                </div>
               </div>
-           </div>
+            </div>
+          </div>
         </li>`
       );
 
+      $tempNote.find('.hidden-xs').text(_.escape(currentUserFullname));
+      $tempNote.find('.note-headline-light').text(`@${_.escape(currentUsername)}`);
+
       return $tempNote;
     };
 
diff --git a/spec/javascripts/notes_spec.js b/spec/javascripts/notes_spec.js
index 470193b50f7..d2881de6c8a 100644
--- a/spec/javascripts/notes_spec.js
+++ b/spec/javascripts/notes_spec.js
@@ -768,6 +768,20 @@ import '~/notes';
         expect($tempNote.prop('nodeName')).toEqual('LI');
         expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy();
       });
+
+      it('should return a escaped user name', () => {
+        const currentUserFullnameXSS = 'Foo <script>alert("XSS")</script>';
+        const $tempNote = this.notes.createPlaceholderNote({
+          formContent: sampleComment,
+          uniqueId,
+          isDiscussionNote: false,
+          currentUsername,
+          currentUserFullname: currentUserFullnameXSS,
+          currentUserAvatar,
+        });
+        const $tempNoteHeader = $tempNote.find('.note-header');
+        expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;');
+      });
     });
 
     describe('createPlaceholderSystemNote', () => {