Sanitize milestones and label titles

app/models/label.rb

@@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
     LabelsHelper::text_color_for_bg(self.color)
   end
 
+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, Sanitize.clean(value))
+  end
+
   private
 
   def label_format_reference(format = :id)

app/models/milestone.rb

@@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
     nil
   end
 
+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, value)
+  end
+
   # Sorts the issues for the given IDs.
   #
   # This method runs a single SQL query using a CASE statement to update the

spec/lib/banzai/filter/milestone_reference_filter_spec.rb

@@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
       milestone.update_attribute(:title, %{"></a>whatever<a title="})
 
       doc = reference_filter("milestone #{reference}")
-      expect(doc.text).to eq "milestone #{milestone.title}"
+      expect(doc.text).to eq "milestone \">whatever"
     end
 
     it 'includes default classes' do

spec/models/label_spec.rb

@@ -55,6 +55,14 @@ describe Label, models: true do
     end
   end
 
+  describe "#title" do
+    let(:label) { create(:label, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(label.title).to eq("test")
+    end
+  end
+
   describe '#to_reference' do
     context 'using id' do
       it 'returns a String reference to the object' do

spec/models/milestone_spec.rb

@@ -34,6 +34,14 @@ describe Milestone, models: true do
   let(:issue) { create(:issue) }
   let(:user) { create(:user) }
 
+  describe "#title" do
+    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(milestone.title).to eq("test")
+    end
+  end
+
   describe "unique milestone title per project" do
     it "shouldn't accept the same title in a project twice" do
       new_milestone = Milestone.new(project: milestone.project, title: milestone.title)