Merge branch 'security-label-xss-11-6' into 'security-11-6'

[11.6] Escape html entities when no label found See merge request gitlab/gitlabhq!2747
author: John Jarvis <jarv@gitlab.com> 2018-12-27 11:36:14 +0300
committer: John Jarvis <jarv@gitlab.com> 2018-12-27 11:36:14 +0300
commit: 5c7a254f8827d70e510d91ac05c1620db60513c2 (patch)
tree: 262f47c0cd5815bdef5350a2c34b261913c7dfb7 /lib
parent: 28ea9a7d693e7bff23248d910ff4dca84e3e6d07 (diff)
parent: a5843ecb4c6dd6e61efb21ed3b602a8a32981492 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index 04ec38209c7..f90a35952e5 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -29,7 +29,7 @@ module Banzai
           if label
             yield match, label.id, project, namespace, $~
           else
-            match
+            escape_html_entities(match)
           end
         end
       end
@@ -102,6 +102,10 @@ module Banzai
         CGI.unescapeHTML(text.to_s)
       end
 
+      def escape_html_entities(text)
+        CGI.escapeHTML(text.to_s)
+      end
+
       def object_link_title(object, matches)
         # use title of wrapped element instead
         nil
author	John Jarvis <jarv@gitlab.com>	2018-12-27 11:36:14 +0300
committer	John Jarvis <jarv@gitlab.com>	2018-12-27 11:36:14 +0300
commit	5c7a254f8827d70e510d91ac05c1620db60513c2 (patch)
tree	262f47c0cd5815bdef5350a2c34b261913c7dfb7 /lib
parent	28ea9a7d693e7bff23248d910ff4dca84e3e6d07 (diff)
parent	a5843ecb4c6dd6e61efb21ed3b602a8a32981492 (diff)