Merge branch 'security-2682-fix-xss-for-markdown-toc' into 'master'

[master] Fix xss for Markdown elements where [[_TOC_]] is enabled See merge request gitlab/gitlabhq!2400
author: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 16:15:41 +0000
committer: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 16:15:41 +0000
commit: 9d6499a57812cd27014afe9663339f89927c3b82 (patch)
tree: 128416ece33448de935a1f4f43746906aa716adb /lib/banzai
parent: 70c02bf3bce18d39a4fae85bb927334391cd2a5e (diff)
parent: 00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa (diff)
download: gitlab-ce-9d6499a57812cd27014afe9663339f89927c3b82.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/banzai/filter/table_of_contents_filter.rb b/lib/banzai/filter/table_of_contents_filter.rb
index 97244159985..b32660a8341 100644
--- a/lib/banzai/filter/table_of_contents_filter.rb
+++ b/lib/banzai/filter/table_of_contents_filter.rb
@@ -92,7 +92,7 @@ module Banzai
         def text
           return '' unless node
 
-          @text ||= node.text
+          @text ||= EscapeUtils.escape_html(node.text)
         end
 
         private
author	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 16:15:41 +0000
committer	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 16:15:41 +0000
commit	9d6499a57812cd27014afe9663339f89927c3b82 (patch)
tree	128416ece33448de935a1f4f43746906aa716adb /lib/banzai
parent	70c02bf3bce18d39a4fae85bb927334391cd2a5e (diff)
parent	00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa (diff)
download	gitlab-ce-9d6499a57812cd27014afe9663339f89927c3b82.tar.gz