Merge branch 'security-fix-html-injection-for-label-description-ce-master' into 'master'

Fix HTML injection for label description

See merge request gitlab/gitlabhq!3250

app/helpers/labels_helper.rb

@@ -71,7 +71,7 @@ module LabelsHelper
   end
 
   def label_tooltip_title(label)
-    label.description
+    Sanitize.clean(label.description)
   end
 
   def suggested_colors

app/models/label.rb

@@ -199,7 +199,11 @@ class Label < ApplicationRecord
   end
 
   def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
   end
 
   ##
@@ -260,7 +264,7 @@ class Label < ApplicationRecord
     end
   end
 
-  def sanitize_title(value)
+  def sanitize_value(value)
     CGI.unescapeHTML(Sanitize.clean(value.to_s))
   end
 

changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml

+---
+title: Fix HTML injection for label description
+merge_request:
+author:
+type: security

spec/helpers/labels_helper_spec.rb

@@ -278,4 +278,14 @@ describe LabelsHelper do
       it { is_expected.to eq('Subscribe at group level') }
     end
   end
+
+  describe '#label_tooltip_title' do
+    let(:html) { '<img src="example.png">This is an image</img>' }
+    let(:label_with_html_content) { create(:label, title: 'test', description: html) }
+
+    it 'removes HTML' do
+      tooltip = label_tooltip_title(label_with_html_content)
+      expect(tooltip).to eq('This is an image')
+    end
+  end
 end

spec/models/label_spec.rb

@@ -84,6 +84,13 @@ describe Label do
     end
   end
 
+  describe '#description' do
+    it 'sanitizes description' do
+      label = described_class.new(description: '<b>foo & bar?</b>')
+      expect(label.description).to eq('foo & bar?')
+    end
+  end
+
   describe 'priorization' do
     subject(:label) { create(:label) }