Commit ec4b6c70 authored by Tim Zallmann's avatar Tim Zallmann Committed by Yorick Peterse

Merge branch 'security-11-6-55320-stored-xss-in-user-status' into 'security-11-6'

[11.6] Use sanitized user status message in user popover

See merge request gitlab/gitlabhq!2838

(cherry picked from commit 919913d4511c1e78b65d6bb29082ddc597b525f3)

9b736da4 Use sanitized user status message for user popover
parent 977a9de7
......@@ -46,10 +46,10 @@ export default {
return null;
},
statusHtml() {
if (this.user.status.emoji && this.user.status.message) {
return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message}`;
} else if (this.user.status.message) {
return this.user.status.message;
if (this.user.status.emoji && this.user.status.message_html) {
return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message_html}`;
} else if (this.user.status.message_html) {
return this.user.status.message_html;
}
return '';
},
......
---
title: Use sanitized user status message for user popover
merge_request:
author:
type: security
......@@ -119,7 +119,7 @@ describe('User Popover Component', () => {
describe('status data', () => {
it('should show only message', () => {
const testProps = Object.assign({}, DEFAULT_PROPS);
testProps.user.status = { message: 'Hello World' };
testProps.user.status = { message_html: 'Hello World' };
vm = mountComponent(UserPopover, {
...DEFAULT_PROPS,
......@@ -131,12 +131,12 @@ describe('User Popover Component', () => {
it('should show message and emoji', () => {
const testProps = Object.assign({}, DEFAULT_PROPS);
testProps.user.status = { emoji: 'basketball_player', message: 'Hello World' };
testProps.user.status = { emoji: 'basketball_player', message_html: 'Hello World' };
vm = mountComponent(UserPopover, {
...DEFAULT_PROPS,
target: document.querySelector('.js-user-link'),
status: { emoji: 'basketball_player', message: 'Hello World' },
status: { emoji: 'basketball_player', message_html: 'Hello World' },
});
expect(vm.$el.textContent).toContain('Hello World');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment