Merge branch 'security-49085-11.2-persistent-xss-rendering' into 'security-11-2'

[11.2] Port of Fixed persistent XSS rendering/escaping of diff location lines to 11.2 See merge request gitlab/gitlabhq!2473
author: José Iván Vargas López <jvargas@gitlab.com> 2018-08-24 21:29:20 +0300
committer: Jose Vargas <jvargas@gitlab.com> 2018-08-24 21:43:18 +0300
commit: 1f7a68f82cfcbca467392bc1accfde36763be698 (patch)
tree: 2ad5d7c3bdabf7056a4da4b43f1af35a598acfff /lib
parent: 61dce108f66739bebbc56a1a1bdd0752d502656e (diff)
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/gitlab/diff/highlight.rb b/lib/gitlab/diff/highlight.rb
index 5c1baa19b66..1f012043e56 100644
--- a/lib/gitlab/diff/highlight.rb
+++ b/lib/gitlab/diff/highlight.rb
@@ -37,7 +37,7 @@ module Gitlab
             end
           end
 
-          diff_line.text = rich_line
+          diff_line.rich_text = rich_line
 
           diff_line
         end
diff --git a/lib/gitlab/diff/line.rb b/lib/gitlab/diff/line.rb
index 1faf7770634..633985d5caa 100644
--- a/lib/gitlab/diff/line.rb
+++ b/lib/gitlab/diff/line.rb
@@ -85,7 +85,7 @@ module Gitlab
           old_line: old_line,
           new_line: new_line,
           text: text,
-          rich_text: rich_text || text,
+          rich_text: rich_text || CGI.escapeHTML(text),
           meta_data: meta_positions
         }
       end
author	José Iván Vargas López <jvargas@gitlab.com>	2018-08-24 21:29:20 +0300
committer	Jose Vargas <jvargas@gitlab.com>	2018-08-24 21:43:18 +0300
commit	1f7a68f82cfcbca467392bc1accfde36763be698 (patch)
tree	2ad5d7c3bdabf7056a4da4b43f1af35a598acfff /lib
parent	61dce108f66739bebbc56a1a1bdd0752d502656e (diff)