Merge branch '10-7-security_issue_42029' into 'security-10-7'

Sanitize user name to avoid XSS attacks

See merge request gitlab/gitlabhq!2373

app/assets/javascripts/sidebar/lib/sidebar_move_issue.js

@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import _ from 'underscore';
 
 function isValidProjectId(id) {
   return id > 0;
@@ -43,7 +44,7 @@ class SidebarMoveIssue {
       renderRow: project => `
         <li>
           <a href="#" class="js-move-issue-dropdown-item">
-            ${project.name_with_namespace}
+            ${_.escape(project.name_with_namespace)}
           </a>
         </li>
       `,

changelogs/unreleased/security_issue_42029.yml

@@ -0,0 +1,5 @@
+---
+title: Sanitizes user name to avoid XSS attacks
+merge_request:
+author:
+type: security

spec/javascripts/sidebar/mock_data.js

@@ -138,7 +138,7 @@ const RESPONSE_MAP = {
       },
       {
         id: 20,
-        name_with_namespace: 'foo / bar',
+        name_with_namespace: '<img src=x onerror=alert(document.domain)> foo / bar',
       },
     ],
   },

spec/javascripts/sidebar/sidebar_move_issue_spec.js

@@ -69,6 +69,15 @@ describe('SidebarMoveIssue', function () {
 
       expect($.fn.glDropdown).toHaveBeenCalled();
     });
+
+    it('escapes html from project name', (done) => {
+      this.$toggleButton.dropdown('toggle');
+
+      setTimeout(() => {
+        expect(this.$content.find('.js-move-issue-dropdown-item')[1].innerHTML.trim()).toEqual('<img src=x onerror=alert(document.domain)> foo / bar');
+        done();
+      });
+    });
   });
 
   describe('onConfirmClicked', () => {