diff options
| author | Filipa Lacerda <filipa@gitlab.com> | 2018-08-09 14:05:13 +0300 |
|---|---|---|
| committer | Filipa Lacerda <filipa@gitlab.com> | 2018-08-09 20:28:05 +0300 |
| commit | 5e8f11e5fdb792f17d86cf9321537c5c56801a17 (patch) | |
| tree | 77a87f8692bd1a24cb4c76d11c7c7740ee1e466f /app/views/projects/jobs | |
| parent | 68082d352516b5367fce76453b8992f4e44d127e (diff) | |
Removes <br> sent from backend on tooltips in jobs
When backend sends HTML it requires frontend to append it to the DOM causing
XSS vulnerabilities. By removing the `<br>` we avoid those vulnerabilities
Diffstat (limited to 'app/views/projects/jobs')
| -rw-r--r-- | app/views/projects/jobs/_sidebar.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/projects/jobs/_sidebar.html.haml b/app/views/projects/jobs/_sidebar.html.haml index 759efd4e9d4..74f88486738 100644 --- a/app/views/projects/jobs/_sidebar.html.haml +++ b/app/views/projects/jobs/_sidebar.html.haml @@ -87,7 +87,7 @@ - builds.select{|build| build.status == build_status}.each do |build| .build-job{ class: sidebar_build_class(build, @build), data: { stage: build.stage } } - tooltip = sanitize(build.tooltip_message.dup) - = link_to(project_job_path(@project, build), data: { toggle: 'tooltip', html: 'true', title: tooltip, container: 'body' }) do + = link_to(project_job_path(@project, build), data: { toggle: 'tooltip', title: tooltip, container: 'body' }) do = sprite_icon('arrow-right', size:16, css_class: 'icon-arrow-right') %span{ class: "ci-status-icon-#{build.status}" } = ci_icon_for_status(build.status) |