Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
adf9a518
Commit
adf9a518
authored
May 07, 2016
by
Stan Hu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Escape HTML in commit titles in system note messages
Closes #17348
parent
2e116227
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
15 additions
and
1 deletion
+15
-1
CHANGELOG
CHANGELOG
+1
-0
app/services/system_note_service.rb
app/services/system_note_service.rb
+5
-1
spec/services/system_note_service_spec.rb
spec/services/system_note_service_spec.rb
+9
-0
No files found.
CHANGELOG
View file @
adf9a518
...
...
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.8.0 (unreleased)
- Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
- Project#open_branches has been cleaned up and no longer loads entire records into memory.
- Escape HTML in commit titles in system note messages
- Log to application.log when an admin starts and stops impersonating a user
- Updated gitlab_git to 10.1.0
- GitAccess#protected_tag? no longer loads all tags just to check if a single one exists
...
...
app/services/system_note_service.rb
View file @
adf9a518
...
...
@@ -351,7 +351,7 @@ class SystemNoteService
# Returns an Array of Strings
def
self
.
new_commit_summary
(
new_commits
)
new_commits
.
collect
do
|
commit
|
"*
#{
commit
.
short_id
}
-
#{
commit
.
title
}
"
"*
#{
commit
.
short_id
}
-
#{
escape_html
(
commit
.
title
)
}
"
end
end
...
...
@@ -433,4 +433,8 @@ class SystemNoteService
body
=
"Moved
#{
direction
}
#{
cross_reference
}
"
create_note
(
noteable:
noteable
,
project:
project
,
author:
author
,
note:
body
)
end
def
self
.
escape_html
(
text
)
Rack
::
Utils
.
escape_html
(
text
)
end
end
spec/services/system_note_service_spec.rb
View file @
adf9a518
...
...
@@ -506,6 +506,15 @@ describe SystemNoteService, services: true do
end
end
describe
'.new_commit_summary'
do
it
'escapes HTML titles'
do
commit
=
double
(
title:
'<pre>This is a test</pre>'
,
short_id:
'12345678'
)
escaped
=
'* 12345678 - <pre>This is a test</pre>'
expect
(
described_class
.
new_commit_summary
([
commit
])).
to
eq
([
escaped
])
end
end
include
JiraServiceHelper
describe
'JIRA integration'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment