From 60b56b48afb89ed1890409b6c425f16549c4d28b Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Sep 2021 12:54:43 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

---
 app/helpers/external_link_helper.rb | 5 ++++-
 app/helpers/icons_helper.rb         | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

(limited to 'app/helpers')

diff --git a/app/helpers/external_link_helper.rb b/app/helpers/external_link_helper.rb
index 058302d1ed8..c951d0daf96 100644
--- a/app/helpers/external_link_helper.rb
+++ b/app/helpers/external_link_helper.rb
@@ -1,9 +1,12 @@
 # frozen_string_literal: true
 
 module ExternalLinkHelper
+  include ActionView::Helpers::TextHelper
+
   def external_link(body, url, options = {})
-    link_to url, { target: '_blank', rel: 'noopener noreferrer' }.merge(options) do
+    link = link_to url, { target: '_blank', rel: 'noopener noreferrer' }.merge(options) do
       "#{body}#{sprite_icon('external-link', css_class: 'gl-ml-1')}".html_safe
     end
+    sanitize(link, tags: %w(a svg use), attributes: %w(target rel data-testid class href).concat(options.stringify_keys.keys))
   end
 end
diff --git a/app/helpers/icons_helper.rb b/app/helpers/icons_helper.rb
index 096a3f2269b..c38b4a7aedf 100644
--- a/app/helpers/icons_helper.rb
+++ b/app/helpers/icons_helper.rb
@@ -44,7 +44,7 @@ module IconsHelper
 
       content_tag(
         :svg,
-        content_tag(:use, '', { 'xlink:href' => "#{sprite_icon_path}##{icon_name}" } ),
+        content_tag(:use, '', { 'href' => "#{sprite_icon_path}##{icon_name}" } ),
         class: css_classes.empty? ? nil : css_classes.join(' '),
         data: { testid: "#{icon_name}-icon" }
       )
-- 
cgit v1.2.3