Merge branch 'security-html_escape_usernames' into 'master'

[master] HTML escape the name of the user in ProjectsHelper#link_to_member

See merge request gitlab/gitlabhq!2401

app/helpers/projects_helper.rb

@@ -40,7 +40,8 @@ module ProjectsHelper
       name_tag_options[:class] << 'has-tooltip'
     end
 
-    content_tag(:span, sanitize(username), name_tag_options)
+    # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username
+    content_tag(:span, username, name_tag_options)
   end
 
   def link_to_member(project, author, opts = {}, &block)

changelogs/unreleased/security-html_escape_usernames.yml

@@ -0,0 +1,5 @@
+---
+title: HTML escape the name of the user in ProjectsHelper#link_to_member
+merge_request:
+author:
+type: security

spec/helpers/projects_helper_spec.rb

@@ -248,7 +248,7 @@ describe ProjectsHelper do
   describe '#link_to_member' do
     let(:group)   { build_stubbed(:group) }
     let(:project) { build_stubbed(:project, group: group) }
-    let(:user)    { build_stubbed(:user) }
+    let(:user)    { build_stubbed(:user, name: '<h1>Administrator</h1>') }
 
     describe 'using the default options' do
       it 'returns an HTML link to the user' do
@@ -256,6 +256,13 @@ describe ProjectsHelper do
 
         expect(link).to match(%r{/#{user.username}})
       end
+
+      it 'HTML escapes the name of the user' do
+        link = helper.link_to_member(project, user)
+
+        expect(link).to include(ERB::Util.html_escape(user.name))
+        expect(link).not_to include(user.name)
+      end
     end
   end