From 6cf7dd625a7db143c146de1b146cba7dbcbc2576 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:27:42 +0200
Subject: Fix persistent XSS vulnerability around profile website URLs.

---
 CHANGELOG          | 2 ++
 app/models/user.rb | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0878c03207b..3c119a93d36 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
+  - Fix persistent XSS vulnerability around profile website URLs.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
diff --git a/app/models/user.rb b/app/models/user.rb
index 515f29ea0ba..e2b6757bc4d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
   end
 
   def full_website_url
-    return "http://#{website_url}" if website_url !~ /^https?:\/\//
+    return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//
 
     website_url
   end
 
   def short_website_url
-    website_url.gsub(/https?:\/\//, '')
+    website_url.sub(/\Ahttps?:\/\//, '')
   end
 
   def all_ssh_keys
-- 
cgit v1.2.1