Merge branch 'security-html_escape_usernames' into 'master'
[master] HTML escape the name of the user in ProjectsHelper#link_to_member See merge request gitlab/gitlabhq!2401
This commit is contained in:
commit
8d18f219fe
|
@ -40,7 +40,8 @@ module ProjectsHelper
|
|||
name_tag_options[:class] << 'has-tooltip'
|
||||
end
|
||||
|
||||
content_tag(:span, sanitize(username), name_tag_options)
|
||||
# NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username
|
||||
content_tag(:span, username, name_tag_options)
|
||||
end
|
||||
|
||||
def link_to_member(project, author, opts = {}, &block)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: HTML escape the name of the user in ProjectsHelper#link_to_member
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -248,7 +248,7 @@ describe ProjectsHelper do
|
|||
describe '#link_to_member' do
|
||||
let(:group) { build_stubbed(:group) }
|
||||
let(:project) { build_stubbed(:project, group: group) }
|
||||
let(:user) { build_stubbed(:user) }
|
||||
let(:user) { build_stubbed(:user, name: '<h1>Administrator</h1>') }
|
||||
|
||||
describe 'using the default options' do
|
||||
it 'returns an HTML link to the user' do
|
||||
|
@ -256,6 +256,13 @@ describe ProjectsHelper do
|
|||
|
||||
expect(link).to match(%r{/#{user.username}})
|
||||
end
|
||||
|
||||
it 'HTML escapes the name of the user' do
|
||||
link = helper.link_to_member(project, user)
|
||||
|
||||
expect(link).to include(ERB::Util.html_escape(user.name))
|
||||
expect(link).not_to include(user.name)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue