Fix HTML injection for label description

author: Patrick Derichs <pderichs@gitlab.com> 2019-08-01 10:18:12 +0300
committer: Patrick Derichs <pderichs@gitlab.com> 2019-08-05 17:27:37 +0300
commit: 5bfd913736eb7603630cd7af79adf2214ab50109 (patch)
tree: 3fd9af7edd518a9ca741c32fd0023882200b71b7 /app
parent: 6ccbccc2010dc1197d7b721c76cdb176050e43d8 (diff)
2 files changed, 7 insertions, 3 deletions
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb
index db4f29cd996..bed6eb90209 100644
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -72,7 +72,7 @@ module LabelsHelper
   end
 
   def label_tooltip_title(label)
-    label.description
+    Sanitize.clean(label.description)
   end
 
   def suggested_colors
diff --git a/app/models/label.rb b/app/models/label.rb
index b83e0862bab..b86d4aa84ff 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -193,7 +193,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -254,7 +258,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
author	Patrick Derichs <pderichs@gitlab.com>	2019-08-01 10:18:12 +0300
committer	Patrick Derichs <pderichs@gitlab.com>	2019-08-05 17:27:37 +0300
commit	5bfd913736eb7603630cd7af79adf2214ab50109 (patch)
tree	3fd9af7edd518a9ca741c32fd0023882200b71b7 /app
parent	6ccbccc2010dc1197d7b721c76cdb176050e43d8 (diff)