Merge branch 'security-html_escape_usernames' into 'master'

[master] HTML escape the name of the user in ProjectsHelper#link_to_member See merge request gitlab/gitlabhq!2401
author: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 19:16:45 +0300
committer: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 19:16:45 +0300
commit: 8d18f219feae2907a2f6f5041ea816395de19fb2 (patch)
tree: 7dfc8c247b1d9ec10d7089e69bb2c55d3ad07f5e /app/helpers/projects_helper.rb
parent: 9d6499a57812cd27014afe9663339f89927c3b82 (diff)
parent: 1fbf6f186948e29dfcd09332a083962904e674ae (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index be3958c40a4..8e2ca3e15bd 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -40,7 +40,8 @@ module ProjectsHelper
       name_tag_options[:class] << 'has-tooltip'
     end
 
-    content_tag(:span, sanitize(username), name_tag_options)
+    # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username
+    content_tag(:span, username, name_tag_options)
   end
 
   def link_to_member(project, author, opts = {}, &block)
author	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 19:16:45 +0300
committer	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 19:16:45 +0300
commit	8d18f219feae2907a2f6f5041ea816395de19fb2 (patch)
tree	7dfc8c247b1d9ec10d7089e69bb2c55d3ad07f5e /app/helpers/projects_helper.rb
parent	9d6499a57812cd27014afe9663339f89927c3b82 (diff)
parent	1fbf6f186948e29dfcd09332a083962904e674ae (diff)