Merge branch 'note-preview' into 'security-10-2'

prevent potential XSS when editing comment

See merge request gitlab/gitlabhq!2238

(cherry picked from commit 80ed6d25a46c0f70ec8baea78b5777118d63876c)

7480e462 prevent potential XSS when editing comment
This commit is contained in:
Fatih Acet 2017-12-06 20:10:32 +00:00 committed by Michael Kozono
parent c59ae54705
commit f4fbe61a9e
2 changed files with 17 additions and 1 deletions

View file

@ -1,5 +1,6 @@
<script>
import { mapGetters, mapActions } from 'vuex';
import { escape } from 'underscore';
import Flash from '../../flash';
import userAvatarLink from '../../vue_shared/components/user_avatar/user_avatar_link.vue';
import noteHeader from './note_header.vue';
@ -85,7 +86,7 @@
};
this.isRequesting = true;
this.oldContent = this.note.note_html;
this.note.note_html = noteText;
this.note.note_html = escape(noteText);
this.updateNote(data)
.then(() => {

View file

@ -41,4 +41,19 @@ describe('issue_note', () => {
it('should render issue body', () => {
expect(vm.$el.querySelector('.note-text').innerHTML).toEqual(note.note_html);
});
it('prevents note preview xss', (done) => {
const imgSrc = 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7';
const noteBody = `<img src="${imgSrc}" onload="alert(1)" />`;
const alertSpy = spyOn(window, 'alert');
vm.updateNote = () => new Promise($.noop);
vm.formUpdateHandler(noteBody, null, $.noop);
setTimeout(() => {
expect(alertSpy).not.toHaveBeenCalled();
expect(vm.note.note_html).toEqual(_.escape(noteBody));
done();
}, 0);
});
});