diff options
author | Patrick Derichs <pderichs@gitlab.com> | 2019-08-01 10:18:12 +0300 |
---|---|---|
committer | Patrick Derichs <pderichs@gitlab.com> | 2019-08-05 17:27:37 +0300 |
commit | 5bfd913736eb7603630cd7af79adf2214ab50109 (patch) | |
tree | 3fd9af7edd518a9ca741c32fd0023882200b71b7 /app | |
parent | 6ccbccc2010dc1197d7b721c76cdb176050e43d8 (diff) |
Fix HTML injection for label description
Diffstat (limited to 'app')
-rw-r--r-- | app/helpers/labels_helper.rb | 2 | ||||
-rw-r--r-- | app/models/label.rb | 8 |
2 files changed, 7 insertions, 3 deletions
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb index db4f29cd996..bed6eb90209 100644 --- a/app/helpers/labels_helper.rb +++ b/app/helpers/labels_helper.rb @@ -72,7 +72,7 @@ module LabelsHelper end def label_tooltip_title(label) - label.description + Sanitize.clean(label.description) end def suggested_colors diff --git a/app/models/label.rb b/app/models/label.rb index b83e0862bab..b86d4aa84ff 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -193,7 +193,11 @@ class Label < ApplicationRecord end def title=(value) - write_attribute(:title, sanitize_title(value)) if value.present? + write_attribute(:title, sanitize_value(value)) if value.present? + end + + def description=(value) + write_attribute(:description, sanitize_value(value)) if value.present? end ## @@ -254,7 +258,7 @@ class Label < ApplicationRecord end end - def sanitize_title(value) + def sanitize_value(value) CGI.unescapeHTML(Sanitize.clean(value.to_s)) end |