diff options
| author | Felipe Artur Cardozo <fcardozo@gitlab.com> | 2018-07-26 21:16:24 +0000 |
|---|---|---|
| committer | Felipe Artur Cardozo <fcardozo@gitlab.com> | 2018-07-26 21:16:24 +0000 |
| commit | 9852304befb88cd112cb681ff5cca0c31cd2ddd4 (patch) | |
| tree | 67f5a155322f213a8b7b756b83ae4633153671b6 /app | |
| parent | dae85363e363cc92e335808b2bd4e0608d92d760 (diff) | |
| parent | 0a59ccac61d16dde068d3a78a04060265dd34e28 (diff) | |
| download | gitlab-ce-9852304befb88cd112cb681ff5cca0c31cd2ddd4.tar.gz | |
Merge branch 'security-ide-branch-name-xss' into 'master'
[master] Fixed XSS in branch name in Web IDE
See merge request gitlab/gitlabhq!2431
Diffstat (limited to 'app')
| -rw-r--r-- | app/assets/javascripts/ide/components/commit_sidebar/actions.vue | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue index eb7cb9745ec..a8b5c7a16d0 100644 --- a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue +++ b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue @@ -1,4 +1,5 @@ <script> +import _ from 'underscore'; import { mapActions, mapState, mapGetters } from 'vuex'; import { sprintf, __ } from '~/locale'; import * as consts from '../../stores/modules/commit/constants'; @@ -14,7 +15,7 @@ export default { commitToCurrentBranchText() { return sprintf( __('Commit to %{branchName} branch'), - { branchName: `<strong class="monospace">${this.currentBranchId}</strong>` }, + { branchName: `<strong class="monospace">${_.escape(this.currentBranchId)}</strong>` }, false, ); }, |