Remove persistent XSS vulnerability in `commit_person_link` helper

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948

3 files changed, 5 insertions, 2 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 0d53ffea831..974143f9fde 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
+v 8.4.9
+  - Remove persistent XSS vulnerability in `commit_person_link` helper
+
 v 8.4.8
   - Fix a 2FA authentication spoofing vulnerability.
 
diff --git a/app/helpers/commits_helper.rb b/app/helpers/commits_helper.rb
index d26f007c8e6..f5211cfda3b 100644
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -152,7 +152,7 @@ module CommitsHelper
 
     options = {
       class: "commit-#{options[:source]}-link has_tooltip",
-      data: { :'original-title' => sanitize(source_email) }
+      title: source_email
     }
 
     if user.nil?
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 6bcff3aad14..ee1ed4926ab 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -40,7 +40,7 @@ module ProjectsHelper
       link_to(author_html, user_path(author), class: "author_link").html_safe
     else
       title = opts[:title].sub(":name", sanitize(author.name))
-      link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { :'original-title' => title, container: 'body' } ).html_safe
+      link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
     end
   end