diff options
author | Kushal Pandya <kushal@gitlab.com> | 2018-11-12 12:21:25 +0300 |
---|---|---|
committer | Kushal Pandya <kushal@gitlab.com> | 2018-11-12 12:21:25 +0300 |
commit | 117072d45f7fbcc375bec66758f5187f2a0de3ea (patch) | |
tree | 34ee672c838e4b74a6012719ed94e0c2def55215 /app/assets/javascripts/gfm_auto_complete.js | |
parent | 2e690c8208e9da5e7152e77cd77efdade5260be1 (diff) |
Fix user name autocomplete XSS when name contains HTML
Diffstat (limited to 'app/assets/javascripts/gfm_auto_complete.js')
-rw-r--r-- | app/assets/javascripts/gfm_auto_complete.js | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js index 00b3d283570..6f8b73564d0 100644 --- a/app/assets/javascripts/gfm_auto_complete.js +++ b/app/assets/javascripts/gfm_auto_complete.js @@ -151,10 +151,16 @@ class GfmAutoComplete { // Team Members $input.atwho({ at: '@', + alias: 'users', displayTpl(value) { let tmpl = GfmAutoComplete.Loading.template; - if (value.username != null) { - tmpl = GfmAutoComplete.Members.template; + const { avatarTag, username, title } = value; + if (username != null) { + tmpl = GfmAutoComplete.Members.templateFunction({ + avatarTag, + username, + title, + }); } return tmpl; }, @@ -565,8 +571,9 @@ GfmAutoComplete.Emoji = { }; // Team Members GfmAutoComplete.Members = { - // eslint-disable-next-line no-template-curly-in-string - template: '<li>${avatarTag} ${username} <small>${title}</small></li>', + templateFunction({ avatarTag, username, title }) { + return `<li>${avatarTag} ${username} <small>${_.escape(title)}</small></li>`; + }, }; GfmAutoComplete.Labels = { template: |