diff options
author | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 19:16:45 +0300 |
---|---|---|
committer | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 19:16:45 +0300 |
commit | 8d18f219feae2907a2f6f5041ea816395de19fb2 (patch) | |
tree | 7dfc8c247b1d9ec10d7089e69bb2c55d3ad07f5e /app/helpers/projects_helper.rb | |
parent | 9d6499a57812cd27014afe9663339f89927c3b82 (diff) | |
parent | 1fbf6f186948e29dfcd09332a083962904e674ae (diff) |
Merge branch 'security-html_escape_usernames' into 'master'
[master] HTML escape the name of the user in ProjectsHelper#link_to_member
See merge request gitlab/gitlabhq!2401
Diffstat (limited to 'app/helpers/projects_helper.rb')
-rw-r--r-- | app/helpers/projects_helper.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index be3958c40a4..8e2ca3e15bd 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -40,7 +40,8 @@ module ProjectsHelper name_tag_options[:class] << 'has-tooltip' end - content_tag(:span, sanitize(username), name_tag_options) + # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username + content_tag(:span, username, name_tag_options) end def link_to_member(project, author, opts = {}, &block) |