Fixed XSS with merge request approvers selection

Closes #353

Fixed XSS with merge request approvers selection
Closes #353
f5ec6289 · Phil Hughes · 1725bd1c · f5ec6289 · f5ec6289 · f5ec6289
Commit f5ec6289 authored Sep 06, 2018 by Phil Hughes
3 changed files
--- a/ee/app/assets/javascripts/approvers_select.js
+++ b/ee/app/assets/javascripts/approvers_select.js
@@ -114,7 +114,7 @@ export default class ApproversSelect {
  }

  static formatSelection(group) {
-    return group.full_name || group.name;
+    return _.escape(group.full_name || group.name);
  }

  static formatResult({

--- a/ee/changelogs/unreleased/security-mr-approvers-xss.yml
+++ b/ee/changelogs/unreleased/security-mr-approvers-xss.yml
+---
+title: Fixes XSS with merge request approvers selection
+merge_request:
+author:
+type: security
--- a/ee/spec/javascripts/approvers_select_spec.js
+++ b/ee/spec/javascripts/approvers_select_spec.js
@@ -59,4 +59,22 @@ describe('ApproversSelect', () => {
      expect(output).not.toContain('<script>alert("testing")</script>');
    });
  });
+
+  describe('formatSelection', () => {
+    it('escapes full name', () => {
+      expect(
+        ApproversSelect.formatSelection({
+          full_name: '<script>alert("testing")</script>',
+        }),
+      ).not.toBe('<script>alert("testing")</script>');
+    });
+
+    it('escapes name', () => {
+      expect(
+        ApproversSelect.formatSelection({
+          name: '<script>alert("testing")</script>',
+        }),
+      ).not.toBe('<script>alert("testing")</script>');
+    });
+  });
 });