diff options
| author | Stan Hu <stanhu@gmail.com> | 2016-05-07 18:41:10 +0300 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2016-05-07 18:41:10 +0300 |
| commit | adf9a51899b02f7adc678dca7909201500f05026 (patch) | |
| tree | fbe3212b1ec2c6a29cf9d1a1bea12e908e11d181 /app/services/system_note_service.rb | |
| parent | 2e1162272e2f90a3677f3def491907729b249434 (diff) | |
Escape HTML in commit titles in system note messages
Closes #17348
Diffstat (limited to 'app/services/system_note_service.rb')
| -rw-r--r-- | app/services/system_note_service.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/app/services/system_note_service.rb b/app/services/system_note_service.rb index 82a0e2fd1f5..4bdb1b0c074 100644 --- a/app/services/system_note_service.rb +++ b/app/services/system_note_service.rb @@ -351,7 +351,7 @@ class SystemNoteService # Returns an Array of Strings def self.new_commit_summary(new_commits) new_commits.collect do |commit| - "* #{commit.short_id} - #{commit.title}" + "* #{commit.short_id} - #{escape_html(commit.title)}" end end @@ -433,4 +433,8 @@ class SystemNoteService body = "Moved #{direction} #{cross_reference}" create_note(noteable: noteable, project: project, author: author, note: body) end + + def self.escape_html(text) + Rack::Utils.escape_html(text) + end end |