Merge branch 'security-access-dropdown-user-escape' into 'master'

: [master] Escape user names in access dropdowns See merge request gitlab/gitlab-ee!626

Merge branch 'security-access-dropdown-user-escape' into 'master'
: [master] Escape user names in access dropdowns See merge request gitlab/gitlab-ee!626
57fab4c6 · Mayra Cabrera · 88280301 · 9e8d0829 · 57fab4c6 · 57fab4c6
Commit 57fab4c6 authored May 29, 2018 by Mayra Cabrera
2 changed files
--- a/ee/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/ee/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -458,7 +458,7 @@ export default class AccessDropdown {
      <li>
        <a href="#" class="${isActiveClass}">
          <img src="${user.avatar_url}" class="avatar avatar-inline" width="30">
-          <strong class="dropdown-menu-user-full-name">${user.name}</strong>
+          <strong class="dropdown-menu-user-full-name">${_.escape(user.name)}</strong>
          <span class="dropdown-menu-user-username">${user.username}</span>
        </a>
      </li>

--- a/spec/javascripts/ee/projects/settings/access_dropdown_spec.js
+++ b/spec/javascripts/ee/projects/settings/access_dropdown_spec.js
@@ -123,4 +123,17 @@ describe('AccessDropdown', () => {
      });
    });
  });
+
+  describe('userRowHtml', () => {
+    it('escapes users name', () => {
+      const user = {
+        avatar_url: '',
+        name: '<img src=x onerror=alert(document.domain)>',
+        username: 'test',
+      };
+      const template = dropdown.userRowHtml(user);
+
+      expect(template).not.toContain(user.name);
+    });
+  });
 });