Commit 4bc4f065 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'escape-commit-titles' into 'master'

Escape HTML in commit titles in system note messages

Closes #17348

See merge request !4084
parents 4a47470f adf9a518
......@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.8.0 (unreleased)
- Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
- Project#open_branches has been cleaned up and no longer loads entire records into memory.
- Escape HTML in commit titles in system note messages
- Log to application.log when an admin starts and stops impersonating a user
- Updated gitlab_git to 10.1.0
- GitAccess#protected_tag? no longer loads all tags just to check if a single one exists
......
......@@ -351,7 +351,7 @@ def self.cross_reference_note_content(gfm_reference)
# Returns an Array of Strings
def self.new_commit_summary(new_commits)
new_commits.collect do |commit|
"* #{commit.short_id} - #{commit.title}"
"* #{commit.short_id} - #{escape_html(commit.title)}"
end
end
......@@ -433,4 +433,8 @@ def self.noteable_moved(noteable, project, noteable_ref, author, direction:)
body = "Moved #{direction} #{cross_reference}"
create_note(noteable: noteable, project: project, author: author, note: body)
end
def self.escape_html(text)
Rack::Utils.escape_html(text)
end
end
......@@ -506,6 +506,15 @@
end
end
describe '.new_commit_summary' do
it 'escapes HTML titles' do
commit = double(title: '<pre>This is a test</pre>', short_id: '12345678')
escaped = '* 12345678 - &lt;pre&gt;This is a test&lt;&#x2F;pre&gt;'
expect(described_class.new_commit_summary([commit])).to eq([escaped])
end
end
include JiraServiceHelper
describe 'JIRA integration' do
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment