Commit 6207a2de authored by Imre Farkas's avatar Imre Farkas

HTML escape branch name in project graphs page

parent 4be23eea
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
#{@commits_graph.start_date.strftime('%b %d')} #{@commits_graph.start_date.strftime('%b %d')}
- end_time = capture do - end_time = capture do
#{@commits_graph.end_date.strftime('%b %d')} #{@commits_graph.end_date.strftime('%b %d')}
= (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "<strong>#{@ref}</strong>", start_time: start_time, end_time: end_time }).html_safe = (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "<strong>#{h @ref}</strong>", start_time: start_time, end_time: end_time }).html_safe
.col-md-6 .col-md-6
.tree-ref-container .tree-ref-container
......
---
title: HTML escape branch name in project graphs page
merge_request:
author:
type: security
...@@ -3,6 +3,7 @@ require 'spec_helper' ...@@ -3,6 +3,7 @@ require 'spec_helper'
describe 'Project Graph', :js do describe 'Project Graph', :js do
let(:user) { create :user } let(:user) { create :user }
let(:project) { create(:project, :repository, namespace: user.namespace) } let(:project) { create(:project, :repository, namespace: user.namespace) }
let(:branch_name) { 'master' }
before do before do
project.add_master(user) project.add_master(user)
...@@ -12,7 +13,7 @@ describe 'Project Graph', :js do ...@@ -12,7 +13,7 @@ describe 'Project Graph', :js do
shared_examples 'page should have commits graphs' do shared_examples 'page should have commits graphs' do
it 'renders commits' do it 'renders commits' do
expect(page).to have_content('Commit statistics for master') expect(page).to have_content("Commit statistics for #{branch_name}")
expect(page).to have_content('Commits per day of month') expect(page).to have_content('Commits per day of month')
end end
end end
...@@ -57,6 +58,23 @@ describe 'Project Graph', :js do ...@@ -57,6 +58,23 @@ describe 'Project Graph', :js do
it_behaves_like 'page should have languages graphs' it_behaves_like 'page should have languages graphs'
end end
context 'chart graph with HTML escaped branch name' do
let(:branch_name) { '<h1>evil</h1>' }
before do
project.repository.create_branch(branch_name, 'master')
visit charts_project_graph_path(project, branch_name)
end
it_behaves_like 'page should have commits graphs'
it 'HTML escapes branch name' do
expect(page.body).to include("Commit statistics for <strong>#{ERB::Util.html_escape(branch_name)}</strong>")
expect(page.body).not_to include(branch_name)
end
end
context 'when CI enabled' do context 'when CI enabled' do
before do before do
project.enable_ci project.enable_ci
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment