diff options
author | Steve Azzopardi <sazzopardi@gitlab.com> | 2018-11-18 13:33:22 +0300 |
---|---|---|
committer | Steve Azzopardi <steveazz@outlook.com> | 2018-11-18 13:47:57 +0300 |
commit | 953f789fd3dd9bcb1f2f20410c116557187df231 (patch) | |
tree | 33eda54807b7d0824cb27ca20045e431247b9eff /app | |
parent | e70f2a5b944653e6fa1f155e79b2c1dab83cb650 (diff) |
Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3'
[11.3] Escape user fullname while rendering autocomplete template to prevent XSS
See merge request gitlab/gitlabhq!2608
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/gfm_auto_complete.js | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js index 03256ca2285..a0454354fd0 100644 --- a/app/assets/javascripts/gfm_auto_complete.js +++ b/app/assets/javascripts/gfm_auto_complete.js @@ -149,10 +149,16 @@ class GfmAutoComplete { // Team Members $input.atwho({ at: '@', + alias: 'users', displayTpl(value) { let tmpl = GfmAutoComplete.Loading.template; - if (value.username != null) { - tmpl = GfmAutoComplete.Members.template; + const { avatarTag, username, title } = value; + if (username != null) { + tmpl = GfmAutoComplete.Members.templateFunction({ + avatarTag, + username, + title, + }); } return tmpl; }, @@ -512,8 +518,9 @@ GfmAutoComplete.Emoji = { }; // Team Members GfmAutoComplete.Members = { - // eslint-disable-next-line no-template-curly-in-string - template: '<li>${avatarTag} ${username} <small>${title}</small></li>', + templateFunction({ avatarTag, username, title }) { + return `<li>${avatarTag} ${username} <small>${_.escape(title)}</small></li>`; + }, }; GfmAutoComplete.Labels = { // eslint-disable-next-line no-template-curly-in-string |