From e6e9c10ee1be86301db02cbf7d0e833b2ef6e073 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 26 Feb 2019 08:43:43 -0600
Subject: Fix XSS in resolve conflicts form

The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
---
 app/views/projects/merge_requests/conflicts/_submit_form.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/views/projects/merge_requests')

diff --git a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
index 8181267184a..55c89f137c5 100644
--- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
+++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
@@ -6,7 +6,7 @@
   .form-group.row
     .col-md-4
       %h4= _('Resolve conflicts on source branch')
-      .resolve-info
+      .resolve-info{ "v-pre": true }
         = translation.html_safe
     .col-md-8
       %label.label-bold{ "for" => "commit-message" }
-- 
cgit v1.2.3