Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorSteve Azzopardi <sazzopardi@gitlab.com>2018-11-18 13:33:22 +0300
committerSteve Azzopardi <steveazz@outlook.com>2018-11-18 13:47:57 +0300
commit953f789fd3dd9bcb1f2f20410c116557187df231 (patch)
tree33eda54807b7d0824cb27ca20045e431247b9eff /app
parente70f2a5b944653e6fa1f155e79b2c1dab83cb650 (diff)
Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3'
[11.3] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2608
Diffstat (limited to 'app')
-rw-r--r--app/assets/javascripts/gfm_auto_complete.js15
1 files changed, 11 insertions, 4 deletions
diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js
index 03256ca2285..a0454354fd0 100644
--- a/app/assets/javascripts/gfm_auto_complete.js
+++ b/app/assets/javascripts/gfm_auto_complete.js
@@ -149,10 +149,16 @@ class GfmAutoComplete {
// Team Members
$input.atwho({
at: '@',
+ alias: 'users',
displayTpl(value) {
let tmpl = GfmAutoComplete.Loading.template;
- if (value.username != null) {
- tmpl = GfmAutoComplete.Members.template;
+ const { avatarTag, username, title } = value;
+ if (username != null) {
+ tmpl = GfmAutoComplete.Members.templateFunction({
+ avatarTag,
+ username,
+ title,
+ });
}
return tmpl;
},
@@ -512,8 +518,9 @@ GfmAutoComplete.Emoji = {
};
// Team Members
GfmAutoComplete.Members = {
- // eslint-disable-next-line no-template-curly-in-string
- template: '<li>${avatarTag} ${username} <small>${title}</small></li>',
+ templateFunction({ avatarTag, username, title }) {
+ return `<li>${avatarTag} ${username} <small>${_.escape(title)}</small></li>`;
+ },
};
GfmAutoComplete.Labels = {
// eslint-disable-next-line no-template-curly-in-string
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 15:29:34 +0300