Merge branch 'branch-name-escape' into 'security'

Fix XSS in branches dropdown See merge request !2093

Merge branch 'branch-name-escape' into 'security'
8040e336 · Robert Speicher · Lin Jen-Shin · bca874df · 8040e336 · 8040e336
Commit 8040e336 authored 7 years ago by Robert Speicher Committed by Lin Jen-Shin 7 years ago
--- a/app/assets/javascripts/gl_dropdown.js
+++ b/app/assets/javascripts/gl_dropdown.js
@@ -584,7 +584,7 @@ GitLabDropdown = (function() {
      var link = document.createElement('a');
  
      link.href = url;
-      link.innerHTML = text;
+      link.textContent = text;
  
      if (selected) {
        link.className = 'is-active';

--- a/changelogs/unreleased/branch-name-escape.yml
+++ b/changelogs/unreleased/branch-name-escape.yml
+---
+title: Fixed branches dropdown rendering branch names as HTML
+merge_request:
+author:
--- a/spec/javascripts/gl_dropdown_spec.js
+++ b/spec/javascripts/gl_dropdown_spec.js
@@ -52,12 +52,8 @@ require('~/lib/utils/url_utility');
        search: {
          fields: ['name']
        },
-        text: (project) => {
-          (project.name_with_namespace || project.name);
-        },
-        id: (project) => {
-          project.id;
-        }
+        text: project => (project.name_with_namespace || project.name),
+        id: project => project.id
      });
    }
  
@@ -80,6 +76,18 @@ require('~/lib/utils/url_utility');
      expect(this.dropdownContainerElement).toHaveClass('open');
    });
  
+    it('escapes HTML as text', () => {
+      this.projectsData[0].name_with_namespace = '<script>alert("testing");</script>';
+
+      initDropDown.call(this, false);
+
+      this.dropdownButtonElement.click();
+
+      expect(
+        $('.dropdown-content li:first-child').text(),
+      ).toBe('<script>alert("testing");</script>');
+    });
+
    describe('that is open', () => {
      beforeEach(() => {
        initDropDown.call(this, false, false);