From 1f7a68f82cfcbca467392bc1accfde36763be698 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Iv=C3=A1n=20Vargas=20L=C3=B3pez?=
 <jvargas@gitlab.com>
Date: Fri, 24 Aug 2018 18:29:20 +0000
Subject: Merge branch 'security-49085-11.2-persistent-xss-rendering' into
 'security-11-2'

[11.2] Port of Fixed persistent XSS rendering/escaping of diff location lines to 11.2

See merge request gitlab/gitlabhq!2473
---
 lib/gitlab/diff/highlight.rb | 2 +-
 lib/gitlab/diff/line.rb      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/gitlab/diff/highlight.rb b/lib/gitlab/diff/highlight.rb
index 5c1baa19b66..1f012043e56 100644
--- a/lib/gitlab/diff/highlight.rb
+++ b/lib/gitlab/diff/highlight.rb
@@ -37,7 +37,7 @@ module Gitlab
             end
           end
 
-          diff_line.text = rich_line
+          diff_line.rich_text = rich_line
 
           diff_line
         end
diff --git a/lib/gitlab/diff/line.rb b/lib/gitlab/diff/line.rb
index 1faf7770634..633985d5caa 100644
--- a/lib/gitlab/diff/line.rb
+++ b/lib/gitlab/diff/line.rb
@@ -85,7 +85,7 @@ module Gitlab
           old_line: old_line,
           new_line: new_line,
           text: text,
-          rich_text: rich_text || text,
+          rich_text: rich_text || CGI.escapeHTML(text),
           meta_data: meta_positions
         }
       end
-- 
cgit v1.2.3