diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:30 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:30 +0300 |
commit | 5d5c906bf6a05813d9e9ea4217d4d2ed0fc372e5 (patch) | |
tree | cfdd07776729522bc14d2bd5ea8c13eb60ebc49b /lib | |
parent | b72162e7b64c17379932db4904314aab8f9dd086 (diff) | |
parent | ddfdc0dc15afd7d62c156fecb0cdab5a3aa55b6b (diff) |
Merge branch 'security-fix-xss-in-label-namespace-12-4' into '12-4-stable'
Escape namespace in label references
See merge request gitlab/gitlabhq!3551
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index db620c65237..609ea8fb5ca 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -89,7 +89,7 @@ module Banzai parent_from_ref = from_ref_cached(project_path) reference = parent_from_ref.to_human_reference(parent) - label_suffix = " <i>in #{reference}</i>" if reference.present? + label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present? end presenter = object.present(issuable_subject: parent) |