From 9f31f95adad5500045ef35b57d133c633cd08524 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Tue, 8 Sep 2015 11:18:55 +0100 Subject: [PATCH] Escape user-provided content in preserved HAML sections --- app/views/projects/empty.html.haml | 6 +++--- .../merge_requests/show/_how_to_merge.html.haml | 16 ++++++++-------- app/views/projects/wikis/git_access.html.haml | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/app/views/projects/empty.html.haml b/app/views/projects/empty.html.haml index e577d35d560..798f1c47da5 100644 --- a/app/views/projects/empty.html.haml +++ b/app/views/projects/empty.html.haml @@ -22,15 +22,15 @@ %h5 Git global setup %pre.light-well :preserve - git config --global user.name "#{git_user_name}" - git config --global user.email "#{git_user_email}" + git config --global user.name "#{h git_user_name}" + git config --global user.email "#{h git_user_email}" %fieldset %h5 Create a new repository %pre.light-well :preserve git clone #{ content_tag(:span, default_url_to_repo, class: 'clone')} - cd #{@project.path} + cd #{h @project.path} touch README.md git add README.md git commit -m "add README" diff --git a/app/views/projects/merge_requests/show/_how_to_merge.html.haml b/app/views/projects/merge_requests/show/_how_to_merge.html.haml index db1575f899a..f18cf96c17d 100644 --- a/app/views/projects/merge_requests/show/_how_to_merge.html.haml +++ b/app/views/projects/merge_requests/show/_how_to_merge.html.haml @@ -11,12 +11,12 @@ %pre.dark - if @merge_request.for_fork? :preserve - git fetch #{@merge_request.source_project.http_url_to_repo} #{@merge_request.source_branch} - git checkout -b #{@merge_request.source_project_path}-#{@merge_request.source_branch} FETCH_HEAD + git fetch #{h @merge_request.source_project.http_url_to_repo} #{h @merge_request.source_branch} + git checkout -b #{h @merge_request.source_project_path}-#{h @merge_request.source_branch} FETCH_HEAD - else :preserve git fetch origin - git checkout -b #{@merge_request.source_branch} origin/#{@merge_request.source_branch} + git checkout -b #{h @merge_request.source_branch} origin/#{h @merge_request.source_branch} %p %strong Step 2. Review the changes locally @@ -27,18 +27,18 @@ %pre.dark - if @merge_request.for_fork? :preserve - git checkout #{@merge_request.target_branch} - git merge --no-ff #{@merge_request.source_project_path}-#{@merge_request.source_branch} + git checkout #{h @merge_request.target_branch} + git merge --no-ff #{h @merge_request.source_project_path}-#{h @merge_request.source_branch} - else :preserve - git checkout #{@merge_request.target_branch} - git merge --no-ff #{@merge_request.source_branch} + git checkout #{h @merge_request.target_branch} + git merge --no-ff #{h @merge_request.source_branch} %p %strong Step 4. Push the result of the merge to GitLab %pre.dark :preserve - git push origin #{@merge_request.target_branch} + git push origin #{h @merge_request.target_branch} - unless @merge_request.can_be_merged_by?(current_user) %p Note that pushing to GitLab requires write access to this repository. diff --git a/app/views/projects/wikis/git_access.html.haml b/app/views/projects/wikis/git_access.html.haml index 825f2a161c4..fd266baf660 100644 --- a/app/views/projects/wikis/git_access.html.haml +++ b/app/views/projects/wikis/git_access.html.haml @@ -20,7 +20,7 @@ %pre.dark :preserve git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')} - cd #{@project_wiki.path} + cd #{h @project_wiki.path} %legend Start Gollum And Edit Locally: %pre.dark