Sanitize search text to prevent XSS

88f00c71 · samantha-dev · Samantha Ming · 3e2d0afa · 88f00c71 · 88f00c71
Showing with 7 addition and 1 deletion

app/assets/javascripts/project_find_file.js app/assets/javascripts/project_find_file.js +2 -1

changelogs/unreleased/security-stored-xss-using-find-file.yml ...gelogs/unreleased/security-stored-xss-using-find-file.yml +5 -0

未找到文件。
--- a/app/assets/javascripts/project_find_file.js
+++ b/app/assets/javascripts/project_find_file.js
@@ -5,6 +5,7 @@ import fuzzaldrinPlus from 'fuzzaldrin-plus';
 import axios from '~/lib/utils/axios_utils';
 import flash from '~/flash';
 import { __ } from '~/locale';
+import sanitize from 'sanitize-html';

 // highlight text(awefwbwgtc -> <b>a</b>wefw<b>b</b>wgt<b>c</b> )
 const highlighter = function(element, text, matches) {
@@ -75,7 +76,7 @@ export default class ProjectFindFile {

  findFile() {
    var result, searchText;
-    searchText = this.inputElement.val();
+    searchText = sanitize(this.inputElement.val());
    result =
      searchText.length > 0 ? fuzzaldrinPlus.filter(this.filePaths, searchText) : this.filePaths;
    return this.renderList(result, searchText);

--- a/changelogs/unreleased/security-stored-xss-using-find-file.yml
+++ b/changelogs/unreleased/security-stored-xss-using-find-file.yml
+---
+title: Sanitize search text to prevent XSS
+merge_request:
+author:
+type: security