Merge branch 'security-fix-xss-in-label-namespace-12-4' into '12-4-stable'

Escape namespace in label references See merge request gitlab/gitlabhq!3551
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 15:01:30 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 15:01:30 +0300
commit: 5d5c906bf6a05813d9e9ea4217d4d2ed0fc372e5 (patch)
tree: cfdd07776729522bc14d2bd5ea8c13eb60ebc49b /lib
parent: b72162e7b64c17379932db4904314aab8f9dd086 (diff)
parent: ddfdc0dc15afd7d62c156fecb0cdab5a3aa55b6b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index db620c65237..609ea8fb5ca 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
           parent_from_ref = from_ref_cached(project_path)
           reference       = parent_from_ref.to_human_reference(parent)
 
-          label_suffix = " <i>in #{reference}</i>" if reference.present?
+          label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
         end
 
         presenter = object.present(issuable_subject: parent)
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 15:01:30 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 15:01:30 +0300
commit	5d5c906bf6a05813d9e9ea4217d4d2ed0fc372e5 (patch)
tree	cfdd07776729522bc14d2bd5ea8c13eb60ebc49b /lib
parent	b72162e7b64c17379932db4904314aab8f9dd086 (diff)
parent	ddfdc0dc15afd7d62c156fecb0cdab5a3aa55b6b (diff)