summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFatih Acet <fatih@gitlab.com>2017-12-06 20:10:32 +0000
committerMichael Kozono <mkozono@gmail.com>2017-12-08 13:48:23 -0800
commitf4fbe61a9e073d8e49b0e8104961b2556ce3ac05 (patch)
tree5f7dd68f626762347cbb7b156d188127869f50a0
parentc59ae5470546d1169ee3ab89486140e815400f31 (diff)
downloadgitlab-ce-f4fbe61a9e073d8e49b0e8104961b2556ce3ac05.tar.gz
Merge branch 'note-preview' into 'security-10-2'
prevent potential XSS when editing comment See merge request gitlab/gitlabhq!2238 (cherry picked from commit 80ed6d25a46c0f70ec8baea78b5777118d63876c) 7480e462 prevent potential XSS when editing comment
Diffstat
-rw-r--r--app/assets/javascripts/notes/components/issue_note.vue3
-rw-r--r--spec/javascripts/notes/components/issue_note_spec.js15
2 files changed, 17 insertions, 1 deletions
diff --git a/app/assets/javascripts/notes/components/issue_note.vue b/app/assets/javascripts/notes/components/issue_note.vue
index 8c81c5d6df3..3ceb961f58e 100644
--- a/app/assets/javascripts/notes/components/issue_note.vue
+++ b/app/assets/javascripts/notes/components/issue_note.vue
@@ -1,5 +1,6 @@
<script>
import { mapGetters, mapActions } from 'vuex';
+ import { escape } from 'underscore';
import Flash from '../../flash';
import userAvatarLink from '../../vue_shared/components/user_avatar/user_avatar_link.vue';
import noteHeader from './note_header.vue';
@@ -85,7 +86,7 @@
};
this.isRequesting = true;
this.oldContent = this.note.note_html;
- this.note.note_html = noteText;
+ this.note.note_html = escape(noteText);
this.updateNote(data)
.then(() => {
diff --git a/spec/javascripts/notes/components/issue_note_spec.js b/spec/javascripts/notes/components/issue_note_spec.js
index 73fd188dbe5..bd888b2cbae 100644
--- a/spec/javascripts/notes/components/issue_note_spec.js
+++ b/spec/javascripts/notes/components/issue_note_spec.js
@@ -41,4 +41,19 @@ describe('issue_note', () => {
it('should render issue body', () => {
expect(vm.$el.querySelector('.note-text').innerHTML).toEqual(note.note_html);
});
+
+ it('prevents note preview xss', (done) => {
+ const imgSrc = 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7';
+ const noteBody = `<img src="${imgSrc}" onload="alert(1)" />`;
+ const alertSpy = spyOn(window, 'alert');
+ vm.updateNote = () => new Promise($.noop);
+
+ vm.formUpdateHandler(noteBody, null, $.noop);
+
+ setTimeout(() => {
+ expect(alertSpy).not.toHaveBeenCalled();
+ expect(vm.note.note_html).toEqual(_.escape(noteBody));
+ done();
+ }, 0);
+ });
});
View Lorry Controller Status