Merge branch 'label-xss-10-3' into 'security-10-3'

[10.3] Fix XSS in issue label dropdown See merge request gitlab/gitlabhq!2253 (cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360) ea1fb0ea Fix XSS in issue label dropdown
2017-12-15 20:29:53 +00:00 · 2017-12-15 20:29:53 +00:00 · 6846b70dd4
commit 6846b70dd4
parent 72a57525a8
2 changed files with 10 additions and 1 deletions
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@ -231,7 +231,7 @@ export default class LabelsSelect {
            selectedClass.push('label-item');
            $a.attr('data-label-id', label.id);
          }
-          $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
+          $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
          // Return generated html
          return $li.html($a).prop('outerHTML');
        },
--- a/spec/features/issues/issue_sidebar_spec.rb
+++ b/spec/features/issues/issue_sidebar_spec.rb
@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
  let(:issue) { create(:issue, project: project) }
  let!(:user) { create(:user)}
  let!(:label) { create(:label, project: project, title: 'bug') }
+  let!(:xss_label) { create(:label, project: project, title: '&lt;script&gt;alert("xss");&lt;&#x2F;script&gt;') }

  before do
    sign_in(user)
@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
        restore_window_size
        open_issue_sidebar
      end
+
+      it 'escapes XSS when viewing issue labels' do
+        page.within('.block.labels') do
+          find('.edit-link').click
+
+          expect(page).to have_content '<script>alert("xss");</script>'
+        end
+      end
    end

    context 'editing issue labels', :js do