From bea83d2579ca3b8ca48802f5c114cea60bce396e Mon Sep 17 00:00:00 2001 From: Hiroyuki Sato Date: Thu, 27 Oct 2016 10:47:14 +0900 Subject: Remove an extra leading space from diff content --- app/helpers/diff_helper.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'app/helpers/diff_helper.rb') diff --git a/app/helpers/diff_helper.rb b/app/helpers/diff_helper.rb index 0725c3f4c56..f489f9aa0d6 100644 --- a/app/helpers/diff_helper.rb +++ b/app/helpers/diff_helper.rb @@ -51,12 +51,11 @@ module DiffHelper html.html_safe end - def diff_line_content(line, line_type = nil) + def diff_line_content(line) if line.blank? - "  ".html_safe + " ".html_safe else - line[0] = ' ' if %w[new old].include?(line_type) - line + line.sub(/^[\-+ ]/, '').html_safe end end -- cgit v1.2.1 From edf7dbfacd5a6b884ae1af72204e3718e89f3c35 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Fri, 2 Dec 2016 08:48:32 +0000 Subject: Merge branch 'html-safe-diff-line-content' into 'security' Don't accidentally mark unsafe diff lines as HTML safe Fixes potential XSS issue when a legacy diff note is created on a merge request whose diff contained HTML See https://gitlab.com/gitlab-org/gitlab-ce/issues/25249 See merge request !2040 --- app/helpers/diff_helper.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/helpers/diff_helper.rb') diff --git a/app/helpers/diff_helper.rb b/app/helpers/diff_helper.rb index f489f9aa0d6..c35d6611ab0 100644 --- a/app/helpers/diff_helper.rb +++ b/app/helpers/diff_helper.rb @@ -55,7 +55,9 @@ module DiffHelper if line.blank? " ".html_safe else - line.sub(/^[\-+ ]/, '').html_safe + # We can't use `sub` because the HTML-safeness of `line` will not survive. + line[0] = '' if line.start_with?('+', '-', ' ') + line end end -- cgit v1.2.1