Commit f3840f41 authored by Fatih Acet's avatar Fatih Acet Committed by Winnie Hellmann

Merge branch 'note-preview' into 'security-10-2'

prevent potential XSS when editing comment

See merge request gitlab/gitlabhq!2238

(cherry picked from commit 80ed6d25a46c0f70ec8baea78b5777118d63876c)

7480e462 prevent potential XSS when editing comment
parent 89057a2b
<script>
import { mapGetters, mapActions } from 'vuex';
import { escape } from 'underscore';
import Flash from '../../flash';
import userAvatarLink from '../../vue_shared/components/user_avatar/user_avatar_link.vue';
import noteHeader from './note_header.vue';
......@@ -85,7 +86,7 @@
};
this.isRequesting = true;
this.oldContent = this.note.note_html;
this.note.note_html = noteText;
this.note.note_html = escape(noteText);
this.updateNote(data)
.then(() => {
......
......@@ -41,4 +41,19 @@ describe('issue_note', () => {
it('should render issue body', () => {
expect(vm.$el.querySelector('.note-text').innerHTML).toEqual(note.note_html);
});
it('prevents note preview xss', (done) => {
const imgSrc = 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7';
const noteBody = `<img src="${imgSrc}" onload="alert(1)" />`;
const alertSpy = spyOn(window, 'alert');
vm.updateNote = () => new Promise($.noop);
vm.formUpdateHandler(noteBody, null, $.noop);
setTimeout(() => {
expect(alertSpy).not.toHaveBeenCalled();
expect(vm.note.note_html).toEqual(_.escape(noteBody));
done();
}, 0);
});
});
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment