Escape namespace in label references
When referencing cross-namespace labels, we append the namespace name to the rendered label. This MR escapes the name to prevent XSS attacks.
This commit is contained in:
parent
33c89fa9c7
commit
54564e79d3
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Escape namespace in label references to prevent XSS
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -89,7 +89,7 @@ module Banzai
|
|||
parent_from_ref = from_ref_cached(project_path)
|
||||
reference = parent_from_ref.to_human_reference(parent)
|
||||
|
||||
label_suffix = " <i>in #{reference}</i>" if reference.present?
|
||||
label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
|
||||
end
|
||||
|
||||
presenter = object.present(issuable_subject: parent)
|
||||
|
|
|
@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
|
|||
|
||||
expect(reference_filter(act).to_html).to eq exp
|
||||
end
|
||||
|
||||
context 'when group name has HTML entities' do
|
||||
let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
|
||||
|
||||
it 'escapes the HTML entities' do
|
||||
expect(result.text)
|
||||
.to eq "See #{group_label.name} in #{another_project.full_name}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'cross-project / same-group_label complete reference' do
|
||||
|
|
Loading…
Reference in New Issue