diff options
author | Jacob Schatz <jschatz@gitlab.com> | 2017-12-15 23:29:53 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-01-17 04:04:38 +0300 |
commit | 6846b70dd499f5aeee6936b3f9604fe42cafe87a (patch) | |
tree | b224025720e84fe201c0e369f0e4f0007053c6ee /app/assets/javascripts/labels_select.js | |
parent | 72a57525a87b694799cd6406e8e8f117a902a890 (diff) |
Merge branch 'label-xss-10-3' into 'security-10-3'
[10.3] Fix XSS in issue label dropdown
See merge request gitlab/gitlabhq!2253
(cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360)
ea1fb0ea Fix XSS in issue label dropdown
Diffstat (limited to 'app/assets/javascripts/labels_select.js')
-rw-r--r-- | app/assets/javascripts/labels_select.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index f7a1c9f1e40..664e793fc8e 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -231,7 +231,7 @@ export default class LabelsSelect { selectedClass.push('label-item'); $a.attr('data-label-id', label.id); } - $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title); + $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`); // Return generated html return $li.html($a).prop('outerHTML'); }, |