Escape html entities when no label found

changelogs/unreleased/54427-label-xss.yml

@@ -0,0 +1,5 @@
+---
+title: Escape html entities in LabelReferenceFilter when no label found
+merge_request:
+author:
+type: security

lib/banzai/filter/label_reference_filter.rb

@@ -29,7 +29,7 @@ module Banzai
           if label
             yield match, label.id, project, namespace, $~
           else
-            match
+            escape_html_entities(match)
           end
         end
       end
@@ -102,6 +102,10 @@ module Banzai
         CGI.unescapeHTML(text.to_s)
       end
 
+      def escape_html_entities(text)
+        CGI.escapeHTML(text.to_s)
+      end
+
       def object_link_title(object, matches)
         # use title of wrapped element instead
         nil

spec/lib/banzai/filter/label_reference_filter_spec.rb

@@ -236,6 +236,24 @@ describe Banzai::Filter::LabelReferenceFilter do
     end
   end
 
+  context 'References with html entities' do
+    let!(:label)     { create(:label, name: '<html>', project: project) }
+
+    it 'links to a valid reference' do
+      doc = reference_filter('See ~"<html>"')
+
+      expect(doc.css('a').first.attr('href')).to eq urls
+        .project_issues_url(project, label_name: label.name)
+      expect(doc.text).to eq 'See <html>'
+    end
+
+    it 'ignores invalid label names and escapes entities' do
+      act = %(Label #{Label.reference_prefix}"&lt;non valid&gt;")
+
+      expect(reference_filter(act).to_html).to eq act
+    end
+  end
+
   describe 'consecutive references' do
     let(:bug) { create(:label, name: 'bug', project: project) }
     let(:feature_proposal) { create(:label, name: 'feature proposal', project: project) }