Skip to content

G
gitlab-foss

李少辉-开发者 / gitlab-foss

通知 15
Star 0
Fork 0
G
gitlab-foss

体验新版 GitCode,发现更多精彩内容 >>

提交 6846b70d 编写于 作者: J Jacob Schatz 提交者: Stan Hu
浏览文件
操作

Merge branch 'label-xss-10-3' into 'security-10-3' 

[10.3] Fix XSS in issue label dropdown

See merge request gitlab/gitlabhq!2253

(cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360)

ea1fb0ea Fix XSS in issue label dropdown
上级 72a57525
隐藏空白更改
内联 并排
Showing with 10 addition and 1 deletion
app/assets/javascripts/labels_select.js
浏览文件 @ 6846b70d
......@@ -231,7 +231,7 @@ export default class LabelsSelect {
selectedClass.push('label-item');
$a.attr('data-label-id', label.id);
}
$a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
$a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
// Return generated html
return $li.html($a).prop('outerHTML');
},
......
spec/features/issues/issue_sidebar_spec.rb
浏览文件 @ 6846b70d
......@@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
let(:issue) { create(:issue, project: project) }
let!(:user) { create(:user)}
let!(:label) { create(:label, project: project, title: 'bug') }
let!(:xss_label) { create(:label, project: project, title: '<script>alert("xss");</script>') }
before do
sign_in(user)
......@@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
restore_window_size
open_issue_sidebar
end
it 'escapes XSS when viewing issue labels' do
page.within('.block.labels') do
find('.edit-link').click
expect(page).to have_content '<script>alert("xss");</script>'
end
end
end
context 'editing issue labels', :js do
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册