From 5e8f11e5fdb792f17d86cf9321537c5c56801a17 Mon Sep 17 00:00:00 2001
From: Filipa Lacerda <filipa@gitlab.com>
Date: Thu, 9 Aug 2018 12:05:13 +0100
Subject: Removes <br> sent from backend on tooltips in jobs

When backend sends HTML it requires frontend to append it to the DOM causing
XSS vulnerabilities. By removing the `<br>` we avoid those vulnerabilities
---
 .../pipelines/components/graph/dropdown_job_component.vue            | 3 +--
 app/assets/javascripts/pipelines/components/graph/job_component.vue  | 5 +----
 2 files changed, 2 insertions(+), 6 deletions(-)

(limited to 'app/assets/javascripts/pipelines/components')

diff --git a/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue b/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue
index 8487c8036ee..2ad66f4fe86 100644
--- a/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue
@@ -1,6 +1,5 @@
 <script>
 import $ from 'jquery';
-import _ from 'underscore';
 import JobNameComponent from './job_name_component.vue';
 import JobComponent from './job_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -47,7 +46,7 @@ export default {
 
   computed: {
     tooltipText() {
-      return _.escape(`${this.job.name} - ${this.job.status.label}`);
+      return `${this.job.name} - ${this.job.status.label}`;
     },
   },
 
diff --git a/app/assets/javascripts/pipelines/components/graph/job_component.vue b/app/assets/javascripts/pipelines/components/graph/job_component.vue
index 66f95147193..9ac16b7e541 100644
--- a/app/assets/javascripts/pipelines/components/graph/job_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/job_component.vue
@@ -1,5 +1,4 @@
 <script>
-import _ from 'underscore';
 import ActionComponent from './action_component.vue';
 import JobNameComponent from './job_name_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -62,7 +61,7 @@ export default {
       const textBuilder = [];
 
       if (this.job.name) {
-        textBuilder.push(_.escape(this.job.name));
+        textBuilder.push(this.job.name);
       }
 
       if (this.job.name && this.status.tooltip) {
@@ -106,7 +105,6 @@ export default {
       :class="cssClassJobName"
       :data-boundary="tooltipBoundary"
       data-container="body"
-      data-html="true"
       class="js-pipeline-graph-job-link"
     >
 
@@ -122,7 +120,6 @@ export default {
       :title="tooltipText"
       :class="cssClassJobName"
       class="js-job-component-tooltip non-details-job-component"
-      data-html="true"
       data-container="body"
     >
 
-- 
cgit v1.2.3