Merge branch 'prevent-html-injection' into 'master'
Prevent html injection Commits page renders commit description with single_format method which allows html tags. So commit message with html tags brokers Commits page. See screenshot ![Screenshot 2014-07-10 11.16.40](https://dev.gitlab.org/uploads/gitlab/gitlabhq/6606e1bac0/Screenshot_2014-07-10_11.16.40.png) See merge request !959
This commit is contained in:
commit
a338954c33
|
@ -177,10 +177,18 @@ li.commit {
|
|||
|
||||
.commit-row-description {
|
||||
font-size: 14px;
|
||||
border-left: 1px solid #e5e5e5;
|
||||
padding: 0 15px 0 7px;
|
||||
border-left: 1px solid #EEE;
|
||||
padding: 10px 15px;
|
||||
margin: 5px 0 10px 5px;
|
||||
background: #f9f9f9;
|
||||
display: none;
|
||||
|
||||
pre {
|
||||
border: none;
|
||||
background: inherit;
|
||||
padding: 0;
|
||||
margin: 0;
|
||||
}
|
||||
}
|
||||
|
||||
.commit-row-info {
|
||||
|
|
|
@ -22,7 +22,8 @@
|
|||
|
||||
- if commit.description?
|
||||
.commit-row-description.js-toggle-content
|
||||
= simple_format(commit.description)
|
||||
%pre
|
||||
= commit.description
|
||||
|
||||
.commit-row-info
|
||||
= commit_author_link(commit, avatar: true, size: 16)
|
||||
|
|
Loading…
Reference in New Issue