diff options
| author | Paul Slaughter <pslaughter@gitlab.com> | 2019-02-26 17:43:43 +0300 |
|---|---|---|
| committer | Paul Slaughter <pslaughter@gitlab.com> | 2019-03-21 19:04:59 +0300 |
| commit | 5f338ce9ebacfbf13daf435a845ce0b3da9c7e06 (patch) | |
| tree | c7b2f42496a7e031dca06fb4d4b4ae85b7999a36 /app | |
| parent | 2f25e43662addc546605cb161396a3fad299ecdb (diff) | |
Fix XSS in resolve conflicts form
The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
Diffstat (limited to 'app')
| -rw-r--r-- | app/views/projects/merge_requests/conflicts/_submit_form.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml index 8181267184a..55c89f137c5 100644 --- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml +++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml @@ -6,7 +6,7 @@ .form-group.row .col-md-4 %h4= _('Resolve conflicts on source branch') - .resolve-info + .resolve-info{ "v-pre": true } = translation.html_safe .col-md-8 %label.label-bold{ "for" => "commit-message" } |