EE - Improve slash command stripping, escape temporary note contents (!1900) · Merge requests · GitLab.org / GitLab · GitLab

Do not update/delete: Banner broadcast message test data

Do not update/delete: Notification broadcast message test data

kushalpandya requested to merge ee-32016-escape-instant-comments-and-slash-commands into master May 15, 2017

What does this MR do?

This MR is an EE port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11341

Fixes two bugs around Instant comments that were introduced in %9.2 with https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10760

Comment contents shown as temporary note is vulnerable to XSS (writing <script>alert('Boom!');</script> is not escaped).
Slash command stripping should also include parameters provided to slash command.

Why was this MR needed?

This MR fixes regression around Instant comments feature as mentioned above.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

~~[ ] Changelog entry added, if necessary~~
~~[ ] Documentation created/updated~~
~~[ ] API support added~~
Tests
- Added for this feature/bug
- All builds are passing
Conform by the merge request performance guides
Conform by the style guides
Branch has no merge conflicts with master (if it does - rebase it please)
Squashed related commits together

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ce/issues/32016