Merge branch 'security-fix-xss-in-label-namespace' into 'master'

Escape namespace in label references Closes #2941 See merge request gitlab/gitlabhq!3509
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 20:02:49 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 20:02:49 +0300
commit: 6b50c98f7a3c38627603da3650240a401789bb79 (patch)
tree: 85019936afe1b6b21409cbc0b6e566160f5dca77 /lib/banzai
parent: 5df019e892f4e717772133e469303ab220938233 (diff)
parent: 54564e79d311f06cbf279d137d6d517efc5c9fb2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index db620c65237..609ea8fb5ca 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
           parent_from_ref = from_ref_cached(project_path)
           reference       = parent_from_ref.to_human_reference(parent)
 
-          label_suffix = " <i>in #{reference}</i>" if reference.present?
+          label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
         end
 
         presenter = object.present(issuable_subject: parent)
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 20:02:49 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 20:02:49 +0300
commit	6b50c98f7a3c38627603da3650240a401789bb79 (patch)
tree	85019936afe1b6b21409cbc0b6e566160f5dca77 /lib/banzai
parent	5df019e892f4e717772133e469303ab220938233 (diff)
parent	54564e79d311f06cbf279d137d6d517efc5c9fb2 (diff)