diff options
author | Bob Van Landuyt <bob@gitlab.com> | 2018-09-25 12:32:53 +0300 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-09-25 12:36:51 +0300 |
commit | 14e45a03a6c38960c1888dab12c6f040345e8bb5 (patch) | |
tree | 68e38ed9dd90abda06fdee0bbd344224df4c6d6d /app | |
parent | f8578ff3a13ab423e1970ba85a7149810e323aa9 (diff) |
Merge branch 'security-package-json-xss-11-3' into 'security-11-3'
[11.3] Fix XSS vulnerability sourced from package.json's homepage
See merge request gitlab/gitlabhq!2508
Diffstat (limited to 'app')
-rw-r--r-- | app/models/blob_viewer/package_json.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/models/blob_viewer/package_json.rb b/app/models/blob_viewer/package_json.rb index d12dd93ce2e..7cae60a74d6 100644 --- a/app/models/blob_viewer/package_json.rb +++ b/app/models/blob_viewer/package_json.rb @@ -33,7 +33,8 @@ module BlobViewer end def homepage - json_data['homepage'] + url = json_data['homepage'] + url if Gitlab::UrlSanitizer.valid?(url) end def npm_url |