diff options
author | Paul Slaughter <pslaughter@gitlab.com> | 2019-02-26 17:43:43 +0300 |
---|---|---|
committer | Paul Slaughter <pslaughter@gitlab.com> | 2019-03-07 10:54:16 +0300 |
commit | e6e9c10ee1be86301db02cbf7d0e833b2ef6e073 (patch) | |
tree | ded9edefeb95c1b8f6209d0c500f9576d452d943 /app/views/projects/merge_requests/conflicts/_submit_form.html.haml | |
parent | f944971b0bad25014a846d296057b2e89a6a340c (diff) |
Fix XSS in resolve conflicts form
The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
Diffstat (limited to 'app/views/projects/merge_requests/conflicts/_submit_form.html.haml')
-rw-r--r-- | app/views/projects/merge_requests/conflicts/_submit_form.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml index 8181267184a..55c89f137c5 100644 --- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml +++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml @@ -6,7 +6,7 @@ .form-group.row .col-md-4 %h4= _('Resolve conflicts on source branch') - .resolve-info + .resolve-info{ "v-pre": true } = translation.html_safe .col-md-8 %label.label-bold{ "for" => "commit-message" } |