From 6846b70dd499f5aeee6936b3f9604fe42cafe87a Mon Sep 17 00:00:00 2001 From: Jacob Schatz Date: Fri, 15 Dec 2017 20:29:53 +0000 Subject: [PATCH] Merge branch 'label-xss-10-3' into 'security-10-3' [10.3] Fix XSS in issue label dropdown See merge request gitlab/gitlabhq!2253 (cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360) ea1fb0ea Fix XSS in issue label dropdown --- app/assets/javascripts/labels_select.js | 2 +- spec/features/issues/issue_sidebar_spec.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js index f7a1c9f1e40..664e793fc8e 100644 --- a/app/assets/javascripts/labels_select.js +++ b/app/assets/javascripts/labels_select.js @@ -231,7 +231,7 @@ export default class LabelsSelect { selectedClass.push('label-item'); $a.attr('data-label-id', label.id); } - $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title); + $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`); // Return generated html return $li.html($a).prop('outerHTML'); }, diff --git a/spec/features/issues/issue_sidebar_spec.rb b/spec/features/issues/issue_sidebar_spec.rb index a5c9d0bde5d..64b4f9e7e67 100644 --- a/spec/features/issues/issue_sidebar_spec.rb +++ b/spec/features/issues/issue_sidebar_spec.rb @@ -8,6 +8,7 @@ feature 'Issue Sidebar' do let(:issue) { create(:issue, project: project) } let!(:user) { create(:user)} let!(:label) { create(:label, project: project, title: 'bug') } + let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') } before do sign_in(user) @@ -99,6 +100,14 @@ feature 'Issue Sidebar' do restore_window_size open_issue_sidebar end + + it 'escapes XSS when viewing issue labels' do + page.within('.block.labels') do + find('.edit-link').click + + expect(page).to have_content '' + end + end end context 'editing issue labels', :js do