![]() Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 |
||
---|---|---|
.. | ||
config | ||
controllers | ||
factories | ||
features | ||
finders | ||
fixtures | ||
helpers | ||
initializers | ||
javascripts | ||
lib | ||
mailers | ||
models | ||
requests | ||
routing | ||
services | ||
support | ||
tasks/gitlab | ||
views | ||
workers | ||
factories_spec.rb | ||
rails_helper.rb | ||
spec_helper.rb | ||
teaspoon_env.rb |