diff options
| author | Filipa Lacerda <filipa@gitlab.com> | 2018-08-09 12:05:13 +0100 |
|---|---|---|
| committer | Jose Vargas <jvargas@gitlab.com> | 2018-08-28 16:36:25 -0500 |
| commit | ec40b36905d0a71edb4bfae592018b6ae580a492 (patch) | |
| tree | f3fa27efe3afcda934b8b055fdd54273a6020053 /app/views/ci | |
| parent | e271b302c481d74a6e9fa43a8328821f96bc5b89 (diff) | |
| download | gitlab-ce-ec40b36905d0a71edb4bfae592018b6ae580a492.tar.gz | |
Removes <br> sent from backend on tooltips in jobs
When backend sends HTML it requires frontend to append it to the DOM causing
XSS vulnerabilities. By removing the `<br>` we avoid those vulnerabilities
Diffstat (limited to 'app/views/ci')
| -rw-r--r-- | app/views/ci/status/_dropdown_graph_badge.html.haml | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/views/ci/status/_dropdown_graph_badge.html.haml b/app/views/ci/status/_dropdown_graph_badge.html.haml index 8b0463db000..9de9143e8b1 100644 --- a/app/views/ci/status/_dropdown_graph_badge.html.haml +++ b/app/views/ci/status/_dropdown_graph_badge.html.haml @@ -6,12 +6,12 @@ - tooltip = "#{subject.name} - #{status.status_tooltip}" - if status.has_details? - = link_to status.details_path, class: 'mini-pipeline-graph-dropdown-item', data: { toggle: 'tooltip', title: tooltip, html: 'true', container: 'body' } do + = link_to status.details_path, class: 'mini-pipeline-graph-dropdown-item', data: { toggle: 'tooltip', title: tooltip, container: 'body' } do %span{ class: klass }= sprite_icon(status.icon) %span.ci-build-text= subject.name - else - .menu-item.mini-pipeline-graph-dropdown-item{ data: { toggle: 'tooltip', html: 'true', title: tooltip, container: 'body' } } + .menu-item.mini-pipeline-graph-dropdown-item{ data: { toggle: 'tooltip', title: tooltip, container: 'body' } } %span{ class: klass }= sprite_icon(status.icon) %span.ci-build-text= subject.name |